nanog mailing list archives
RE: DNS Attacks
From: Drew Weaver <drew.weaver () thenap com>
Date: Wed, 18 Jan 2012 14:26:57 -0500
-----Original Message----- From: Christopher Morrow [mailto:morrowc.lists () gmail com] Sent: Wednesday, January 18, 2012 11:43 AM To: Steven Bellovin Cc: nanog () nanog org Subject: Re: DNS Attacks yup... I think roland and nick (he can correct me, roland I KNOW is saying this) are basically saying: permit tcp any any eq 80 permit tcp any any eq 443 deny ip any any is far, far better than state management in a firewall. Anything more complex and your firewall fails long before the 7206's interface/filter will :( Some folks would say you'd be better off doing some LB/filtering-in-software behind said router interface filter, I can't argue with that.
But you don't get the benefit of UNIFIED THREAT MANAGEMENT or syn-authentication with an access-list or what happens if someone sends your wordpress blog a malformed GET request which causes it to give the attacker root? Or Slowloris, or one of any thousand other HTTP protocol based attacks? (I'm being sarcastic but that is the argument you will hear). Seriously though if there is one thing I wish people would stop doing it is releasing web vulnerability scanners for free (like acunetix), they're easy enough to catch because they use sitemaps but they can be a bit annoying and generate a lot of load =) -Drew
Current thread:
- Re: DNS Attacks, (continued)
- Re: DNS Attacks Ken A (Jan 19)
- Re: DNS Attacks virendra rode (Jan 18)
- RE: DNS Attacks Drew Weaver (Jan 18)
- Re: DNS Attacks Dennis (Jan 18)
- RE: DNS Attacks Leigh Porter (Jan 18)
- Re: DNS Attacks Nick Hilliard (Jan 18)
- Re: DNS Attacks Christopher Morrow (Jan 18)
- Re: DNS Attacks Steven Bellovin (Jan 18)
- Re: DNS Attacks Christopher Morrow (Jan 18)
- Re: DNS Attacks Cameron Byrne (Jan 18)
- RE: DNS Attacks Drew Weaver (Jan 18)
- RE: DNS Attacks Leigh Porter (Jan 18)