+++ Abhi [linux-india] <07/05/02 17:46 +0900>:
> A security attempt will involve gaining gain enough information about the
> targettedhosts to enable an actual attack. To that end, one generally tries
> to determine the identities of interesting hosts to see which services might
Fine. IF his hosts are all exposed directly to the internet, ok, there is
some merit in what you say.
Now, considering that he's using a natted setup, which would break firewalks
anyway ...
Next is -
> be available on those hosts. This is why it is advised against including
> silly text descriptions for your hosts records in your DNS servers. DNS
> server will function just the same without you telling the world that xyz is
Or maybe because cluttering your DNS with lots of TXT, HINFO etc produces
overlarge dns packets, leading to extra, useless load on your dns servers?
A typical dns query --> <= 512 bytes packet = send UDP. If greater - then a
truncated response is returned.
Most dns servers (except where there's a over bogus firewall rule - see
several cisco pix and checkpoint boxes for a fine example of this) will then
retry using tcp.
This is assuming your resolver library handles this sort of thing correctly
of course (MS DNS server, for example? <g>). Then, I've heard that qmail
default installs choke on over-large dns packets, and that there is a patch
to remedy this.
Compared to UDP, TCP is an expensive protocol to use for a simple transaction
like DNS: a TCP connection requires 5 packets for setup and takedown,
excluding data packets, thus requiring at least 3 round trips on top of the
one for the original UDP query.
In any case, extra bandwidth consumed, more time taken to do the dns lookup.
Worst case, the firewall at the other end blocks the query totally.
So, cluttering up your dns with useless TXT, HINFO and such is not really a
good idea, yeah. Anything that minimizes the size of your zonefile is, OTOH,
an excellent idea.
> network topology and operating systems being attacked is also very very
> useful, which is where the firewalk comes in. A firewall is generally
> expected to hide the details of the protected network from the outside
He has a firewall. He is using NAT / proxies. Firewalking is useless
against what his current setup is, as far as I can see.
> And I will top off the topic from one line quoted from rr.sans.org paper on
> firewalk...
> "A single layer of defense is never enough."
Counterpoint - Stripping smtp banners, hiding received: headers showing
internal IP handoffs in emails (yet another frequent request from "security"
minded folks) is not a viable layer of defense - either taken on its own, or
used in combination with other, real, defenses.
-srs
--
Suresh Ramasubramanian <----> mallet <at> efn dot org
EMail Sturmbannfuhrer, Lower Middle Class Unix Sysadmin
[Linux One Stanza Tip] From : <[EMAIL PROTECTED]>
LOST #073 -**< Sub : Backing Up your System >**-
Been thinking about how to back up your LINUX system ? There
is a whole website just for you:
http://www.Linux-Backup.net/app.gwif.html
Concepts, methods, applications, procedures... Have a look!
_______________________________________________________________
Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
