> They are taking the position that it is upside down to require an
> unprivileged source port. What are the issues?
The code is here in /usr/src/usr.sbin/inetd/inetd.c:
if (port < IPPORT_RESERVED || port == NFS_PORT)
goto bad;
The only reason I can think of is to avoid your host being used as a
reflector to attack services on other hosts.
For example: attacker sends a UDP packet to you on port 37, with spoofed
source IP address and source port 53. Without this check, inetd would send
its response back to the spoofed IP address on port 53, so it looks like you
are trying to attack someone else's DNS server.
In the case of UDP 'time', the attacker can't control the response you send,
but can predict it. Other services launched from inetd might give the
attacker more direct control over the packet sent, with the most extreme
example being "echo" :-)
The assumption here of course is that the only services worth attacking are
on ports <1024 or 2049. This still doesn't prevent your box being used as a
DoS repeater, but that's a pretty fundamental limitation of simple UDP
request-response exchanges.
Regards,
Brian.
