-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Stuart,
yes well aware of the forgeability of udp and was going to
process a whitelist before processing the block rule.
and will probably still insert code for tinydns to check against a
whitelist and if not on whitelist then block all(tcp/udp/icmp)
traffic from that host via pf for a given time when mininums are
exceeded for queries and or when funky queries are received as I am
tired of this(and I own these servers).
regards
gwen
ps thanks to all that answered and I just wanted to confirm my
somewhat unpracticed walkthru of pf.c logic
Stuart Henderson wrote:
> On 2009/01/25 12:52, gwen hastings wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> Hi Stuart, yes I noticed that in pf.c the overload table routines
>> are called from tcp only..
>
> that is because UDP can easily be, and often is, forged.
>
> imagine an attacker sending packets with the source address of,
> say, a busy resolver at opendns or some large ISP. if you have some
> process that automatically blocks those packets, you have just
> DOS'd yourself.
>
> it's safer with TCP since blind spoofing is difficult, the attacker
> must be in the network path between you and the host they're
> imitating in order to gain access to sequence numbers. with UDP
> they just have to send crap with a bogus source address.
>
>> sigh the udp dos attacks are getting annoying. will have to add
>> something to tinydns to simply add the attacker to the bruteforce
>> table.
>
> what's that, req for . with spoofed source addresses of isprime's
> nameservers? (see nanog). if so I'd just ignore it, tinydns won't
> be sending a reply anyway so it's just noise in the logs...
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIVAwUBSX0BHaiRFbpCqiTVAQI70w/8CFWfnO4uhCAI9ujG83fNSgJe9HWWL33x
A6mf/rfIK2x4rHWxJu+H9J7ke9XpT9X03OEzKCiMo+KNQgQ9FOCJrWiXAVdUnLrC
oy3ijUzqN7vBqvUF0sUMkVqpmtgnfUv7wgDtRpjJ4n1wafBLgFZKzC9+/fuNZ7se
J5iwghchqndNxJJksRjx7uFjUY95Cie0zUxs7oepucdq27foq42dgD6TzYZo0A5y
pOkg9woaVDcUAxDiwDg/PmZGLWUsQ3hTRpj/mWB0/oVbIwHD+LjRka4K//2vzKhU
f9EwH3JssjTrc6Ev8++qOZrRbwBCmF/3mkWImxWaneExPpmDYr6PhWASr0S1mHgd
bTI/Qde/y7z0AMaH1SCnBaksw/wEXzx9jZx+6vGtsWGcm/mq2uA0DLEaJlD8EJSH
ynwapllBKThYz9osp6CbpKKCi89NZCnhRLOyXfaMiQtMlUhuNp1YPuWvvbuCFWth
wSOT67j4vSYRNEqeEiTXphCv8pKwV+q2dHA3osB5K3Q3icW/lyyHuL8cUS/Z/Bc8
BTLa0dadbMybB/3bvWmP1xlgltFKyMir8hL6bl8R812xbreiDuki+0V5RCX4e6ni
x2ERmCDRe8Ca3yKRwub1neUc3Jy6zghjnthQwo8Xl/GhEEhlI9ygd7/zAmYPDxzt
qLZCbR3RO+4=
=3/Y6
-----END PGP SIGNATURE-----
