Yes, hosts would only contact there local DNS servers, but if you were using ossec to monitor any IDS, or even firewall logs and have the active response linked to ipfw sending dynamic acl's to a firewall someone (and yes would be a UDP attack) could send those spoofed attacks to your network.
Even if you whitelist the local DNS servers, how do those servers do an external lookup that isn't in cache during an attack outlined above? They can't because ossec/ipfw has blocked access from/to those DNS root servers. Ossec is an extremely powerful tool and I was skeptical when I was first looking at it (I thought it was glorified swatch); but now I really like it and want to migrate more tasks to it. Just looking from an attacker's point of view I wanted to address these issues. If it were me, I would whitelist the DNS roots in the source code (built into the active response software), as a just in case scenario. But yes, also whitelist internal DNS, gateways, etc. -- Jon Scheidell Security Engineer Secnap Network Security (561) 999-5000 x:4110 www.secnap.com -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Friday, August 18, 2006 4:03 PM To: [email protected] Subject: [ossec-list] Re: White listing DNS root servers Hi jonathan, This is actually a good idea, but I want to make some comments to it. 1- Only your DNS server access the root servers. All the other systems only access their resolvers (listed at /etc/resolv.conf). So you would only need to white list these IPs on your DNS server. 2- If you are monitoring your IDS or named logs with ossec, UDP spoofed attacks could be done to cause a DoS. However, for the average usage of ossec (monitoring logs), it would not be simple (since most daemons use TCP). Besides that, there is not way for an external attacker to inject data to ossec. 3- (replying to Ken) - The best protection is to disable active response for the named rules (it should be by default) and be careful by doing active response based on your IDS alerts ( a simple modification to the rules can make it only block if the alert is from a TCP session). Also, white listing the root servers and your "know-good" systems helps. *ossec has no spoof protection, because it acts based on the logs received. For most TCP-based services, it is not a problem as I mentioned before... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/18/06, Jonathan Scheidell <[EMAIL PROTECTED]> wrote: > > > > > I don't know if this has been discussed but I don't think it has. > > If you are running the active response I would recommend white listing the > DNS root servers. If someone was to find out you were running any kind of > automated blocker they could (or should if they were smart) spoof attack > packets from the DNS root servers IP addresses. This would cause OSSEC (or > whatever software your running) to temporarily block those IP's and > essentially DOS yourself. If you can't make external DNS resolutions your > not going to be able to do ANYTHING on the internet. > > > > Here is a list if anyone wants to cut and paste into their ossec.conf (in > the <global> section) > > <white_list>198.41.0.4</white_list> > > <white_list>192.228.79.201</white_list> > > <white_list>192.33.4.12</white_list> > > <white_list>128.8.10.90</white_list> > > <white_list>192.203.230.10</white_list> > > <white_list>192.5.5.241</white_list> > > <white_list>192.112.36.4</white_list> > > <white_list>128.63.2.53</white_list> > > <white_list>192.36.148.17</white_list> > > <white_list>192.58.128.30</white_list> > > <white_list>193.0.14.129</white_list> > > <white_list>198.32.64.12</white_list> > > <white_list>202.12.27.33</white_list> > > > > > > Daniel: > > I would also recommend this be added to the default ossec.conf (with > comments). > > > > -- > > Jon Scheidell > > Security Engineer > > Secnap Network Security > > (561) 999-5000 x:4110 > > www.secnap.com > >
