Re: [fw-wiz] terminal services
From: Barney Wolff (barney@pit.databus.com)
Date: 01/30/03
- Next message: Reckhard, Tobias: "RE: [fw-wiz] terminal services"
- Previous message: dave: "RE: [fw-wiz] Acqusition of time"
- In reply to: Paul Robertson: "Re: [fw-wiz] terminal services"
- Next in thread: Reckhard, Tobias: "RE: [fw-wiz] terminal services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Barney Wolff <barney@pit.databus.com> To: Paul Robertson <proberts@patriot.net> Date: Thu Jan 30 03:09:01 2003
On Wed, Jan 29, 2003 at 05:09:29PM -0500, Paul Robertson wrote:
> ...
> Let's not forget that nailing DNS source ports to 53 reduces somewhat
> (though by a trivial ammount) resistance to blind spoofing attacks.
For named, the reduction is really trivial. Bind8, at least, when
named.conf says "query-source * port *;" opens up a single non-priv
socket and uses it for all requests. For real resistance to blind
spoofing, it should open a new socket for each request - but that
could lead to fatal resource exhaustion on a busy system, and might
even overload firewall state tables. A casual scan of bind9 source
was not enough to figure out if it's any different.
-- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
- Next message: Reckhard, Tobias: "RE: [fw-wiz] terminal services"
- Previous message: dave: "RE: [fw-wiz] Acqusition of time"
- In reply to: Paul Robertson: "Re: [fw-wiz] terminal services"
- Next in thread: Reckhard, Tobias: "RE: [fw-wiz] terminal services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
