Firewall Wizards mailing list archives
Re: terminal services
From: Barney Wolff <barney () pit databus com>
Date: Wed, 29 Jan 2003 22:58:31 -0500
On Wed, Jan 29, 2003 at 05:09:29PM -0500, Paul Robertson wrote:
... Let's not forget that nailing DNS source ports to 53 reduces somewhat (though by a trivial ammount) resistance to blind spoofing attacks.
For named, the reduction is really trivial. Bind8, at least, when named.conf says "query-source * port *;" opens up a single non-priv socket and uses it for all requests. For real resistance to blind spoofing, it should open a new socket for each request - but that could lead to fatal resource exhaustion on a busy system, and might even overload firewall state tables. A casual scan of bind9 source was not enough to figure out if it's any different. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: terminal services, (continued)
- RE: terminal services Paul D. Robertson (Jan 28)
- Re: terminal services Barney Wolff (Jan 28)
- RE: firewall design (was: RE: terminal services ) m p (Jan 29)
- RE: terminal services Paul D. Robertson (Jan 28)
- RE: terminal services R. DuFresne (Jan 28)
- Message not available
- RE: terminal services Marcus J. Ranum (Jan 28)
- Re: terminal services Barney Wolff (Jan 29)
- Re: terminal services Paul Robertson (Jan 29)
- Re: terminal services Barney Wolff (Jan 30)
- Re: DNS security (Was: re: terminal services) Mikael Olsson (Jan 31)