Bugtraq mailing list archives

Re: NFS packet blocking (Was Mouse EXPLOIT info...)

From: casper () fwi uva nl (Casper Dik)
Date: Fri, 20 Jan 1995 16:05:59 +0100

Sun's NFS implementation always used TCP as well as UDP -- a better
idea would be to block portmapper (111 udp/tcp) as well as NFS ---
but it depends on how paranoid you wish to be.


Sun's NFS implementation has never used TCP, only UDp.
Mountd does use TCP.

Blocking tcp/udp 2049 will not prevent *ALL* NFS attacks -- you might still
be able to get the fh's through source routed requests to rpc.mountd (which
might run on TCP & UDP ports), but it won't give you any access -- you can never
retrieve any data, because you can't get a reply send back to you (you'd
need to fake the src address to get a reply, but you won't pass the filters
if you want the reply.. UDP doesn't have an IP_OPTIONS, thus doesn't support
source routing.)

if NFS is filtered at the router, you will be able to send "unlink" requests
(using the fh's you have) but it will only cause damage, which is still 
dangerous enough.


Not necessarily.  If you block all requests destined for port 2049
in an inbound filter, faked packets won't get through, no matter
what the source address is.

Casper

Current thread:

re: WWW Servers Bandwidth flood on Internet Rikhardur Egilsson (Jan 18)
- Re: WWW Servers Bandwidth flood on Internet Casper Dik (Jan 18)
- NFS packet blocking (Was Mouse EXPLOIT info...) Dave Williss (Jan 18)
  - Re: NFS packet blocking (Was Mouse EXPLOIT info...) Rafi Sadowsky (Jan 19)
    - Re: NFS packet blocking (Was Mouse EXPLOIT info...) jsz (Jan 20)
    - Re: NFS packet blocking (Was Mouse EXPLOIT info...) Darren Reed (Jan 20)
    - Re: NFS packet blocking (Was Mouse EXPLOIT info...) Casper Dik (Jan 20)
- <Possible follow-ups>
- Re: WWW Servers Bandwidth flood on Internet der Mouse (Jan 18)
  - Re: WWW Servers Bandwidth flood on Internet Casper Dik (Jan 18)