Penetration Testing mailing list archives
Re: Testing F5 3DNS
From: Jay Beale <jay () bastille-linux org>
Date: Fri, 06 Aug 2004 09:35:06 -0700
Bradley D. Moore wrote:
It sounds like a simple (non-stateful) packet filter (router or host-based) sits between you and your test subject. Unable to detect "state" in UDP packets (I suppose "relatedness" would be more precise), there's probably an "allow udp src=53" rule
> If that's true, it's very old school technology (IMHO). This is a slight tangent, but one worth noting on this mailing list.While the filter could be stateless, it could also be stateful but simply be horrible at DNS with respect to DNS. Microsoft's Internet Connection Firewall, for instance, will open its resolver's port to all IP addresses whenever it has sent out a request to its DNS server in the last 60 seconds. There's a great Phrack article on this, quoted below.
- Jay From Phrack: (http://www.phrack.org/phrack/62/p62-0x03_Linenoise.txt) It can be seen that when the Windows XP computer sent a UDP packet from port 1026 to port 53 of the DNS server, the firewall allowed all incoming UDP traffic to port 1026, regardless of the source IP address or source port of the incoming traffic. Such incoming traffic was allowed to continue until the firewall decided to block access to port 1026, which occurred when there was no incoming traffic to port 1026 for a defined period of time. This timeframe was between 61 seconds and 120 seconds, as it appeared that the firewall checked once per minute to determine if access to ports should be revoked due to more than 60 seconds of inactivity. Assuming that users connected to the Internet would typically perform a DNS query at least every minute, incoming access to port 1026 would always be granted.
Current thread:
- Re: Testing F5 3DNS Jay Beale (Aug 09)
- Re: Testing F5 3DNS John Swope (Aug 10)