Hi jonathan,
This is actually a good idea, but I want to make some comments to it.
1- Only your DNS server access the root servers. All the other systems
only access their resolvers (listed at /etc/resolv.conf). So you would
only need to white list these IPs on your DNS server.
2- If you are monitoring your IDS or named logs with ossec, UDP spoofed
attacks could be done to cause a DoS. However, for the average usage of
ossec (monitoring logs), it would not be simple (since most daemons
use TCP). Besides that, there is not way for an external attacker to inject
data to ossec.
3- (replying to Ken) - The best protection is to disable active response
for the named rules (it should be by default) and be careful by doing
active response based on your IDS alerts ( a simple modification to the
rules can make it only block if the alert is from a TCP session). Also,
white listing the root servers and your "know-good" systems helps.
*ossec has no spoof protection, because it acts based on the logs
received. For most TCP-based services, it is not a problem as I mentioned
before...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/18/06, Jonathan Scheidell <[EMAIL PROTECTED]> wrote:
I don't know if this has been discussed but I don't think it has.
If you are running the active response I would recommend white listing the
DNS root servers. If someone was to find out you were running any kind of
automated blocker they could (or should if they were smart) spoof attack
packets from the DNS root servers IP addresses. This would cause OSSEC (or
whatever software your running) to temporarily block those IP's and
essentially DOS yourself. If you can't make external DNS resolutions your
not going to be able to do ANYTHING on the internet.
Here is a list if anyone wants to cut and paste into their ossec.conf (in
the <global> section)
<white_list>198.41.0.4</white_list>
<white_list>192.228.79.201</white_list>
<white_list>192.33.4.12</white_list>
<white_list>128.8.10.90</white_list>
<white_list>192.203.230.10</white_list>
<white_list>192.5.5.241</white_list>
<white_list>192.112.36.4</white_list>
<white_list>128.63.2.53</white_list>
<white_list>192.36.148.17</white_list>
<white_list>192.58.128.30</white_list>
<white_list>193.0.14.129</white_list>
<white_list>198.32.64.12</white_list>
<white_list>202.12.27.33</white_list>
Daniel:
I would also recommend this be added to the default ossec.conf (with
comments).
--
Jon Scheidell
Security Engineer
Secnap Network Security
(561) 999-5000 x:4110
www.secnap.com
