OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Phil Wood (cpwlanl.gov)
Date: Wed Mar 14 2001 - 21:37:21 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Wed, Mar 14, 2001 at 08:33:45PM -0500, Erik Fichtner wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > On Wed, Mar 14, 2001 at 04:30:21PM -0800, Ian Campbell wrote:
    > > Can anyone give me more info on this particular rule or the details of any
    > > exploits it's supposed to catch?
    >
    > If you had a stateless firewall, say something like a bunch of cisco router
    > access-lists, you would probably allow queries from some machines to port 53,
    > because you would want to make DNS requests.. And since your packet filter
    > would be stateless, you would want to allow replies from the nameservers,
    > which is using source port 53.
    >
    > Right?
    >
    > Okay.. so this sort of thing was conceived back in the day when you could be
    > fairly certain that the Average Guy couldn't come along and craft a custom
    > packet. But now, Average Guy can create all manner of crap on the wire, and
    > making his packets claim to be from port 53 might just get them through your
    > wimpy stateless firewall, if you happen to have that.
    >
    > And thus, why there's a rule to catch that kind of thing... Except that
    > it falses a lot.

    Around 32% of all alerts for today fall in to the port 53 to 137. I know for
    a fact that the destination hosts (in our address space) are not sending packets
    from 137 to 53. One might classify it as a braindead DOS on our infrastructure.But, there just aren't enough of them. My guess is that some newbie net
    admin has used our address space for some network behind a broken nat that
    is exuding packets from our address space which these poor nameservers get
    to reply to. (Our network address is 192.16.1.0/24) Maybe the newbie dropped
    the 8 from 168.

     IP Hostname Occurances
     139.175.10.20 ksdns.seed.net.tw 63
     148.235.0.19 customer-148-235-0-19.uninet.net.mx 18
     165.87.194.244 ns1.us.prserv.net 18
     199.182.120.203 ns1.ix.netcom.com 3
     207.206.192.1 dns1.dwx.com 3
     207.206.192.2 dns2.dwx.com 3

    >
    > - --
    > Erik Fichtner
    > Security Administrator, ServerVault, Inc.
    > 703-333-5900
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.0.4 (FreeBSD)
    > Comment: For info see http://www.gnupg.org
    >
    > iEYEARECAAYFAjqwG/gACgkQQ7EzrewLMS0wIQCbBwRLVWrL0ItXRm23jA3UX4km
    > xl0AoLPSKIBNnRZR3EubxVEoFZa9kUzY
    > =ofJF
    > -----END PGP SIGNATURE-----
    >
    > _______________________________________________
    > Snort-users mailing list
    > Snort-userslists.sourceforge.net
    > Go to this URL to change user options or unsubscribe:
    > http://lists.sourceforge.net/lists/listinfo/snort-users 

    -- 
Phil Wood, cpwlanl.gov

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users