Date: Tue, 09 May 2000 11:40:09 +1000 From: Tony Landells <ahl@austclear.com.au> To: Richard Martin <dmartin@origen.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Firewall Rules Message-ID: <200005090140.LAA25659@tungsten.austclear.com.au> In-Reply-To: Your message of "Mon, 08 May 2000 20:15:41 EST." <391766BD.CCFEE646@origen.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Question. I have a similar rule in the firewall of our nameserver: > > ipfw add allow udp from x.x.x.x 53 to any 1024-65535 out via ed0 > > Are all DNS replies handled at ports > 1023? Not necessarily. Some versions of BIND will use port 53 for both ends of the connection. Some operating systems allow you to choose the value of the lowest unprivileged port. > I sometimes get these: > > May 8 15:42:21 altair /kernel: ipfw: 7500 Deny UDP X.X.X.X:53 4.17.20.4:673 > out via ed0 > > Legitimate request or probe? > > Also, I have denied TCP transfers at port 53 except to our slaves, and I > occasionally get brief bursts of packets like this: > > May 8 15:32:11 altair /kernel: ipfw: 7400 Deny TCP X.X.X.X:3835 > 192.76.144.16:53 out via ed0 > May 8 15:32:11 altair /kernel: ipfw: 7400 Deny TCP X.X.X.X:3833 > 193.0.0.193:53 out via ed0 > May 8 15:32:11 altair /kernel: ipfw: 7400 Deny TCP X.X.X.X:3836 > 198.6.1.182:53 out via ed0 > > Most of the IPs in these seem to be spoofed. Any idea what sort of attack > signature this is? This can occur legitimately under a few circumstances: some clients will generate a TCP query if the response is larger than a single UDP packet, or if there are problems with the UDP response, or if they come from people that haven't read the specs ;-) This could also be an attempt to perform a file transfer as the fastest way to find out what hosts you have defined in DNS (for either good or bad reasons). It could also be an attempt to attack your system per some of the BIND vulnerabilities described in CERT Advisory CA-99-14. You're much better off controlling this in BIND, which can actually make a decision based on the query type. Tony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005090140.LAA25659>
