Re: [j-nsp] Block traceroute and Allow Ping

2009-09-30 Thread Stefan Fouant
On Wed, Sep 30, 2009 at 11:44 AM, David Ball  wrote:

>   If I'm not mistaken, this year's migration to DNS servers
> supporting randomized source UDP ports (based on the Kaminsky thing)
> may throw a wrench into some notions of filtering UDP traffic across
> their network.  I know we had issues with it.
>
> > On Wed, Sep 30, 2009 at 5:09 AM, Masood Shah 
> wrote:
> >
> >>
> >> If you are REALLY paranoid, you can DROP all UDP traffic and then only
> open
> >> the ports that you have services running on. Sometimes this is easier
> said
> >> than done though.
>

I think it really boils down to whether you are filtering Source Ports vs.
Destination Ports.  In the DNS case, there is rarely a need to block Source
Ports, but it certainly would be prudent in certain circumstances to allow
Destination Port 53 and then block everything else.  Those who support this
model shouldn't be affected by the newer versions of BIND and other
resolvers which support larger Source Port pools... (BTW, I am talking from
the perspective of a DNS provider... if we're dealing with a customer side
filtering inbound traffic, the above model should be reversed).

-- 
Stefan Fouant
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


Re: [j-nsp] Block traceroute and Allow Ping

2009-09-30 Thread Jared Mauch
Any "blind" filtering will have side-effects.  Setting the bar  
correctly can be difficult.  It is important to regularly review  
filtering policies, remove the ones that are not of value and place  
new ones in.  If it's just something where people pile on block-more,  
MORE, MOOORRRE! you will end up with a really poor  
user experience.  Make sure the reviews are part of a scheduled  
business practice, put the guy who runs around with the tapes in  
charge of nagging you.


- Jared

On Sep 30, 2009, at 11:44 AM, David Ball wrote:


  If I'm not mistaken, this year's migration to DNS servers
supporting randomized source UDP ports (based on the Kaminsky thing)
may throw a wrench into some notions of filtering UDP traffic across
their network.  I know we had issues with it.

David


2009/9/30 Stefan Fouant :
On Wed, Sep 30, 2009 at 5:09 AM, Masood Shah  
 wrote:




If you are REALLY paranoid, you can DROP all UDP traffic and then  
only open
the ports that you have services running on. Sometimes this is  
easier said

than done though.



I wouldn't call this paranoia.  I would call this "good security  
posture".


--
Stefan Fouant
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


Re: [j-nsp] Block traceroute and Allow Ping

2009-09-30 Thread David Ball
   If I'm not mistaken, this year's migration to DNS servers
supporting randomized source UDP ports (based on the Kaminsky thing)
may throw a wrench into some notions of filtering UDP traffic across
their network.  I know we had issues with it.

David


2009/9/30 Stefan Fouant :
> On Wed, Sep 30, 2009 at 5:09 AM, Masood Shah  wrote:
>
>>
>> If you are REALLY paranoid, you can DROP all UDP traffic and then only open
>> the ports that you have services running on. Sometimes this is easier said
>> than done though.
>>
>
> I wouldn't call this paranoia.  I would call this "good security posture".
>
> --
> Stefan Fouant
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


Re: [j-nsp] Block traceroute and Allow Ping

2009-09-30 Thread Stefan Fouant
On Wed, Sep 30, 2009 at 5:09 AM, Masood Shah  wrote:

>
> If you are REALLY paranoid, you can DROP all UDP traffic and then only open
> the ports that you have services running on. Sometimes this is easier said
> than done though.
>

I wouldn't call this paranoia.  I would call this "good security posture".

-- 
Stefan Fouant
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


Re: [j-nsp] Block traceroute and Allow Ping

2009-09-30 Thread Masood Shah
Truman is correct, blocking traceroute is not straightforward...

To block traceroute on Linux, start by DROPping ports 33434 to 33600. Of 
course, Truman makes a good point that this range can be overridden, for 
example in Linux with the -p option. If you are REALLY paranoid, you can DROP 
all UDP traffic and then only open the ports that you have services running on. 
Sometimes this is easier said than done though.

Windows uses "normal" ICMP echo requests with low TTL values. And the replies 
are ICMP type 11 (TTL exceeded), or ICMP type 0 (echo reply, when the 
destination has been reached). 

So if you want to block both Windows and *NIX traceroutes, you need to either:
-block outgoing messages destined to UDP ports 33434 to 33534, AND outgoing 
ICMP echo-request messages 
or
-block incoming ICMP type 11 and type 0 messages

To avoid a long discussion on this topic I would add that UNIX version of 
Tracert performs the same function as the Windows version except that the IP 
payload is a UDP packet. According to RFC1393, traceroute implementations are 
supposed to use the ICMP protocol. Indeed, the windows implementation does use 
ICMP. However, by default, the Linux implementation uses UDP, unless you apply 
the "-I" option, in which case it will use ICMP.

Regards,
Masood
Blog: http://weblogs.com.pk/jahil/



-Original Message-
From: juniper-nsp-boun...@puck.nether.net on behalf of Truman Boyes
Sent: Wed 9/30/2009 10:34
To: Iftikhar Ahmed
Cc: juniper-nsp@puck.nether.net; Pekka Savola
Subject: Re: [j-nsp] Block traceroute and Allow Ping
 
This will block some types of traceroute, but a client can always use  
different ports.

Why do you want to block traceroute?

On 29/09/2009, at 8:42 PM, Iftikhar Ahmed wrote:

> Atif,
>
> Try to apply a filter to loop-back interface with somthing like
>
>
> term traceroute {   /* permit traceroute udp packets */
>from {
> protocol udp;
>destination-port 33434-33678;
>}
>then {
> count traceroute;
>discard;
>}
> term default
> then {
> accept
> }
> }
>
>
>
> Regards,
> iftikhar Ahmed
>
> On Tue, Sep 29, 2009 at 3:23 PM, Pekka Savola   
> wrote:
>
>> On Tue, 29 Sep 2009, Muhammad Atif Jauahar wrote:
>>
>>> I want to block traceroute transit traffic on router but I want to  
>>> allow
>>> ping transit traffic. Kindly let me know ICMP Type and Code for  
>>> traceroute
>>> and kindly let me know procedure to block traceroute but allow ping.
>>>
>>
>> You can't if you want to support all flavours of traceroute as some  
>> of
>> those use the equivalent of ping.  Maybe you could match by both  
>> TTL and
>> ICMP type/code but that would be hackish.  To learn more about how
>> traceroute works, see:
>>
>> http://en.wikipedia.org/wiki/Traceroute
>>
>> --
>> Pekka Savola "You each name yourselves king, yet the
>> Netcore Oykingdom bleeds."
>> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>>
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


Re: [j-nsp] Block traceroute and Allow Ping

2009-09-29 Thread Truman Boyes
This will block some types of traceroute, but a client can always use  
different ports.


Why do you want to block traceroute?

On 29/09/2009, at 8:42 PM, Iftikhar Ahmed wrote:


Atif,

Try to apply a filter to loop-back interface with somthing like


term traceroute {   /* permit traceroute udp packets */
   from {
protocol udp;
   destination-port 33434-33678;
   }
   then {
count traceroute;
   discard;
   }
term default
then {
accept
}
}



Regards,
iftikhar Ahmed

On Tue, Sep 29, 2009 at 3:23 PM, Pekka Savola   
wrote:



On Tue, 29 Sep 2009, Muhammad Atif Jauahar wrote:

I want to block traceroute transit traffic on router but I want to  
allow
ping transit traffic. Kindly let me know ICMP Type and Code for  
traceroute

and kindly let me know procedure to block traceroute but allow ping.



You can't if you want to support all flavours of traceroute as some  
of
those use the equivalent of ping.  Maybe you could match by both  
TTL and

ICMP type/code but that would be hackish.  To learn more about how
traceroute works, see:

http://en.wikipedia.org/wiki/Traceroute

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oykingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


Re: [j-nsp] Block traceroute and Allow Ping

2009-09-29 Thread Iftikhar Ahmed
Atif,

Try to apply a filter to loop-back interface with somthing like


term traceroute {   /* permit traceroute udp packets */
from {
 protocol udp;
destination-port 33434-33678;
}
then {
 count traceroute;
discard;
}
term default
 then {
 accept
}
}



Regards,
iftikhar Ahmed

On Tue, Sep 29, 2009 at 3:23 PM, Pekka Savola  wrote:

> On Tue, 29 Sep 2009, Muhammad Atif Jauahar wrote:
>
>> I want to block traceroute transit traffic on router but I want to allow
>> ping transit traffic. Kindly let me know ICMP Type and Code for traceroute
>> and kindly let me know procedure to block traceroute but allow ping.
>>
>
> You can't if you want to support all flavours of traceroute as some of
> those use the equivalent of ping.  Maybe you could match by both TTL and
> ICMP type/code but that would be hackish.  To learn more about how
> traceroute works, see:
>
> http://en.wikipedia.org/wiki/Traceroute
>
> --
> Pekka Savola "You each name yourselves king, yet the
> Netcore Oykingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


Re: [j-nsp] Block traceroute and Allow Ping

2009-09-29 Thread Pekka Savola

On Tue, 29 Sep 2009, Muhammad Atif Jauahar wrote:

I want to block traceroute transit traffic on router but I want to allow
ping transit traffic. Kindly let me know ICMP Type and Code for traceroute
and kindly let me know procedure to block traceroute but allow ping.


You can't if you want to support all flavours of traceroute as some of 
those use the equivalent of ping.  Maybe you could match by both TTL 
and ICMP type/code but that would be hackish.  To learn more about how 
traceroute works, see:


http://en.wikipedia.org/wiki/Traceroute

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oykingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp