Security Incidents mailing list archives
Re: Pubstro rash
From: Mark Coleman <markc () uniontown com>
Date: Thu, 17 Mar 2005 16:50:45 -0500
Hi David, >3. Instead of a random high port, the installed FTP server >listens on port 53. Which I can't block, because DNS may >need to use it, right? > >4. The FTP banners all claim to be the work of "Droppunx".If these are workstations, not servers, then you should be able to block TCP 53 INBOUND to them from the world without harming their DNS resolution, and effectively block the world's access to these FTP servers running on tcp port 53. Since you say they have a banner, I am assuming TCP.
DNS typically (from memory) will use UDP for most requests, but will fall over to TCP for requests over 576 bytes in size, but if these are workstations then you can allow both TCP/UDP port 53 OUT and still block TCP port 53 IN and that shouldn't effect DNS for these workstations. TCP, being stateful, lets you descriminate on direction at layer 4. Stopping inbound SYNs on port 53 IN will only cause a problem if it's a DNS server that the world is trying to hit.
-Mark Coleman
Current thread:
- strange software > winsupdater.exe SDA (Mar 15)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 16)
- Re: strange software > winsupdater.exe Justin (Mar 16)
- Re: strange software > winsupdater.exe Jeremy Anderson (Mar 17)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 28)
- Re: strange software > winsupdater.exe Paul Laudanski (Mar 28)
- Re: strange software > winsupdater.exe Justin (Mar 16)
- Pubstro rash David Gillett (Mar 17)
- Re: Pubstro rash Mark Coleman (Mar 17)
- RE: Pubstro rash Steve Drees (Mar 17)
- RE: Pubstro rash Alexandre Skyrme (Mar 17)
- Re: Pubstro rash Jeff Kell (Mar 18)
- RE: Pubstro rash David Gillett (Mar 18)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 16)
- <Possible follow-ups>
- Re: strange software > winsupdater.exe Harlan Carvey (Mar 16)
- RE: strange software > winsupdater.exe Jim Harrison (ISA) (Mar 16)
- RE: strange software > winsupdater.exe Harlan Carvey (Mar 16)
- Re: strange software > winsupdater.exe dave_mikesch (Mar 16)
- RE: strange software > winsupdater.exe Jim Harrison (ISA) (Mar 16)