On 10 Aug 99, at 15:06, Mike Bost wrote:
> DoubleClick Information Security Department
> <snip>
> This latency measurement is done by making a connection to the client DNS
> server on TCP port 7 and then dropping the connection. After the latency
> measurement has been done, the latency values are cached, and the IP of the
> most responsive POP is returned to the requesting machine.
Dare I suggest that this is a wee bit under-thought-out?
1. How does DoubleClick identify the "client DNS server"?
2. How reasonable is it to assume that latencies to the target so identified
correlate to actual latencies to the client machine?
3. DNS servers seem to be a popular target for exploits and attack scripts.
The should have non-essential services disabled and/or blocked, and be
monitored for abuse. Why pick on them?
4. The echo port is subject to some fairly obvious kinds of abuse. It
should be disabled and/or blocked, and monitored. Why pick on it?
5. A properly-functioning DNS server has to accept TCP connections on port
53, even if zone transfers are disallowed. Why not use that mechanism?
One gets the feeling that DoubleClick should be getting tired of explaining
to security admins what their systems are trying (an, in these cases where
the echo port is blocked and monitored, FAILING) to do. [Presumably, setting
off my pager wasn't one of their design requirements....]
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
