On 22 Jun 2001, at 11:58, Truman Boyes wrote: > FTP being the worst, security wise, of protocols, you are correct. I would > not trust a packet filter to handle the deed, but depending on what you > are trying to accomplish it may suffice. Some routers (cisco, others) do > support software features to track sessions, even if they are > connection-less in design. For example, you can open a "pinhole" in the > firewall for a DNS query, and close it up after a predetermined period of > time. > > On Fri, 22 Jun 2001, Sudipto basu wrote: > > > Things get worse when you use a connection less > > protocol like UDP, > > which forms the basis of DNS. In order to control UDP > > streams in a firewall, you need to add some form of > > state monitoring to a packet filter" > > See above. I've been thinking about the use of UDP in DDoSes. My first impulse was to block it entirely at the porder, except for "known" protocols like DNS. Of course, that (a) doesn't atop DDoS attackers from choosing port 53, and (b) requires a policy environment that lets you block on such a sweeping scale. Assuming, of course, that condition (b) is met -- probably true for private/corporate networks, not true for ISPs -- my second approach is to block all UDP traffic except trusted protocols TO/FROM TRUSTED MACHINES. i.e., Users would no longer be able to query random outside DNS servers directly, their queries would have to be forwards (not referrals) from one of the internal DNS servers. I'm interested in hearing of the experiences of anyone who has implemented such a policy. I expect I'll also hear some arguments about why this is a good/bad approach, and someone is sure to claim that proxy-based firewalls avoid this whole issue -- which is probably true. David Gillett _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
