On Mon, 2009-10-12 at 09:19 -0700, Joel M Snyder wrote: > You may remember last year's "the Internet is falling and only Dan > Kaminsky can explain it" flap around DNS. Well, a lot of the > discussion around this bug/problem/issue ignored the truth that a good > firewall prevented the attack directly, by knowing enough 'deep packet > smarts' around the DNS protocol that the attack scenario was > effectively blocked (hey, that's why we have a session table in the > first place!).
The "Kaminsky attack" only makes sense towards recursive resolvers, and I think most posters here are thinking about authoritative Internet facing nameservers. Who runs a recursive nameserver open towards the Internet now adays? Even so: The nameservers make outbound requests and for those it sort of does make sense to have stateful inspection. Except AFAIK the Kaminsky attack works with spoofed answers, i.e. spoofing both source IP and ports and query ID. How would a firewall (including DPI) catch this? By randomizing source ports or query IDs like TCP sequence number randomization? I'm not sure I agree that's a good idea. By denying all but one answers? Perfect way to DoS yourself. > Similarly, a well-configured firewall would have per-IP rate limits in > it, which would have been a second line of defense. Um... wouldn't that just make a DoS attempt even easier for an attacker? > Now, if you put in a piece-o-crap firewall that is misconfigured, too > slow, doesn't have a big enough session table, and doesn't do anything > more than your average reflexive access control list, then you're > right on: rip that junk out and go bareback. > > But if you do it right, there is value to be provided by a firewall. As always, costs are important. Why should I spend $$$ for a large enough firewall that doesn't give me any extra value? -- Peter _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
