Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 09 May 2000 11:40:09 +1000
From:      Tony Landells <ahl@austclear.com.au>
To:        Richard Martin <dmartin@origen.com>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: Firewall Rules 
Message-ID:  <200005090140.LAA25659@tungsten.austclear.com.au>
In-Reply-To: Your message of "Mon, 08 May 2000 20:15:41 EST." <391766BD.CCFEE646@origen.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

> Question.  I have a similar rule in the firewall of our nameserver:
> 
> ipfw add allow udp from x.x.x.x 53 to any 1024-65535 out via ed0
> 
> Are all DNS replies handled at ports > 1023?

Not necessarily.  Some versions of BIND will use port 53 for both ends
of the connection.  Some operating systems allow you to choose the value
of the lowest unprivileged port.

> I sometimes get these:
> 
> May  8 15:42:21 altair /kernel: ipfw: 7500 Deny UDP X.X.X.X:53 4.17.20.4:673
> out via ed0
> 
> Legitimate request or probe?
> 
> Also, I have denied TCP transfers at port 53 except to our slaves, and I
> occasionally get brief bursts of packets like this:
> 
> May  8 15:32:11 altair /kernel: ipfw: 7400 Deny TCP X.X.X.X:3835
> 192.76.144.16:53 out via ed0
> May  8 15:32:11 altair /kernel: ipfw: 7400 Deny TCP X.X.X.X:3833
> 193.0.0.193:53 out via ed0
> May  8 15:32:11 altair /kernel: ipfw: 7400 Deny TCP X.X.X.X:3836
> 198.6.1.182:53 out via ed0
> 
> Most of the IPs in these seem to be spoofed. Any idea what sort of attack
> signature this is?

This can occur legitimately under a few circumstances: some clients will
generate a TCP query if the response is larger than a single UDP packet,
or if there are problems with the UDP response, or if they come from people
that haven't read the specs ;-)

This could also be an attempt to perform a file transfer as the fastest
way to find out what hosts you have defined in DNS (for either good or
bad reasons).

It could also be an attempt to attack your system per some of the BIND
vulnerabilities described in CERT Advisory CA-99-14.

You're much better off controlling this in BIND, which can actually make
a decision based on the query type.

Tony



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005090140.LAA25659>