Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
Re: AW: AW: [suse-security] dns hijack attack
  • From: Nix <suse@xxxxxxxxxxxxxxx>
  • Date: Tue, 06 Feb 2001 18:46:28 +1100
  • Message-id: <5.0.2.1.0.20010206184406.00b131e8@xxxxxxxxxxxxxxxxxxxx>

> Now I just wonder why you filter these packets.

Because the --sport is too low. Normally clients and servers query from
1024: --> 53 udp. This is 99% of all cases. for 1% I will not open the
1:1023 ports.

> Those appear
> to be regular
> dns queries, destined for 212.232.168.181 (your address?
> PS14613-RIPE).

Locking the source port is quite commonly used as a way to minimise rules
in a firewall. (ie. You have a DNS server that had to query OUT through a firewall,
and you set BIND to always query with a fixed source port. (Source ports
are should not be used in rules for inbound connections due to their arbitary nature,
but in this case as they are outbound connections it's quite common.)

Cheers


---
Nix - nix@xxxxxxxxxxxxxxxx
http://www.susesecurity.com


< Previous Next >