[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNS Attacks

Subject: DNS Attacks
From: morrowc.lists at gmail.com (Christopher Morrow)
Date: Wed, 18 Jan 2012 11:42:42 -0500
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]> <CAL9jLaYJNhbp2M_8=mobTHTW8R0cAU5XA=fmTP2q7ZjL4zDPKg@mail.gmail.com> <[email protected]>

On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin <smb at cs.columbia.edu> wrote:
>
> On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:
>
>> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick at foobar.org> wrote:
>>> On 18/01/2012 14:18, Leigh Porter wrote:
>>>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
>>>> as it is not *my* firewalls I really don't care what they do ;-)
>>>
>>> As you're posting here, it looks like it's become your problem. :-D
>>>
>>> Seriously, though, there is no value to maintaining state for DNS queries.
>>> ?You would be much better off to put your firewall production interfaces on
>>> a routed port on a hardware router so that you can implement ASIC packet
>>> filtering. ?This will operate at wire speed without dumping you into the
>>> colloquial poo every time someone decides to take out your critical
>>> infrastructure.
>>
>> I get the feeling that leigh had implemented this against his own
>> advice for a client... that he's onboard with 'putting a firewall in
>> front of a dns server is dumb' meme...
>
> In principle, this is certainly correct (and I've often said the same thing
> about web servers); in practice, though, a lot depends on the specs. ?For
> example: can the firewall discard useless requests more quickly? ?Does it do
> a better job of discarding malformed packets? ?Is the vendor better about
> supplying patches to new vulnerabilities? ?Can it do a better job filtering
> on source IP address? ?Does it do load-balancing? ?Are there other services
> on the same server IP address that do require stateful filtering?


yup... I think roland and nick (he can correct me, roland I KNOW is
saying this) are basically saying:

permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any

is far, far better than state management in a firewall. Anything more
complex and your firewall fails long before the 7206's
interface/filter will :( Some folks would say you'd be better off
doing some LB/filtering-in-software behind said router interface
filter, I can't argue with that.

> As I said, most of the time a dedicated DNS appliance doesn't benefit from
> firewall protection. ?Occasionally, though, it might.

I suspect the cases where it MAY benefit are the 'lower packet rate,
ping-o-death-type' attacks only though. Essentially 'use a proxy to
remove unknown cruft' as a frontend to your more complex dns/web
answering system, eh?

under load though, high pps rate attacks/instances (victoria secret
fashion-show sorts of things) your firewall/proxy is likely to die
before the backend does ;(

-chris

>
> ? ? ? ? ? ? ? ?--Steve Bellovin, https://www.cs.columbia.edu/~smb
>
>
>
>
>

Follow-Ups:
- DNS Attacks
  - From: cb.list6 at gmail.com (Cameron Byrne)
- DNS Attacks
  - From: drew.weaver at thenap.com (Drew Weaver)

References:
- DNS Attacks
  - From: dennis at justipit.com (Dennis)
- DNS Attacks
  - From: leigh.porter at ukbroadband.com (Leigh Porter)
- DNS Attacks
  - From: nick at foobar.org (Nick Hilliard)
- DNS Attacks
  - From: morrowc.lists at gmail.com (Christopher Morrow)
- DNS Attacks
  - From: smb at cs.columbia.edu (Steven Bellovin)

Prev by Date: DNS Attacks
Next by Date: World IPv6 Launch Day - June 6, 2012
Previous by thread: DNS Attacks
Next by thread: DNS Attacks
Index(es):
- Date
- Thread