Firewall Wizards mailing list archives

Re: terminal services

From: Barney Wolff <barney () pit databus com>
Date: Wed, 29 Jan 2003 22:58:31 -0500

On Wed, Jan 29, 2003 at 05:09:29PM -0500, Paul Robertson wrote:

...
Let's not forget that nailing DNS source ports to 53 reduces somewhat 
(though by a trivial ammount) resistance to blind spoofing attacks.


For named, the reduction is really trivial.  Bind8, at least, when
named.conf says "query-source * port *;" opens up a single non-priv
socket and uses it for all requests.  For real resistance to blind
spoofing, it should open a new socket for each request - but that
could lead to fatal resource exhaustion on a busy system, and might
even overload firewall state tables.  A casual scan of bind9 source
was not enough to figure out if it's any different.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: terminal services, (continued)
- - - RE: terminal services Paul D. Robertson (Jan 28)
    - Re: terminal services Barney Wolff (Jan 28)
    - RE: firewall design (was: RE: terminal services ) m p (Jan 29)
  - RE: terminal services Paul D. Robertson (Jan 28)
    - RE: terminal services R. DuFresne (Jan 28)
    - Message not available
    - RE: terminal services Marcus J. Ranum (Jan 28)
- Re: terminal services Steven M. Bellovin (Jan 28)
- RE: terminal services Reckhard, Tobias (Jan 28)
  - Re: terminal services Barney Wolff (Jan 29)
    - Re: terminal services Paul Robertson (Jan 29)
    - Re: terminal services Barney Wolff (Jan 30)
- RE: terminal services Reckhard, Tobias (Jan 30)
- RE: terminal services Reckhard, Tobias (Jan 30)
  - Re: DNS security (Was: re: terminal services) Mikael Olsson (Jan 31)