drew.weaver at thenap.com
Wed Jan 18 13:26:57 CST 2012
From: Christopher Morrow [mailto:morrowc.lists at gmail.com]
Sent: Wednesday, January 18, 2012 11:43 AM
To: Steven Bellovin
Cc: nanog at nanog.org
Subject: Re: DNS Attacks
yup... I think roland and nick (he can correct me, roland I KNOW is saying this) are basically saying:
permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any
is far, far better than state management in a firewall. Anything more complex and your firewall fails long before the 7206's interface/filter will :( Some folks would say you'd be better off doing some LB/filtering-in-software behind said router interface filter, I can't argue with that.
But you don't get the benefit of UNIFIED THREAT MANAGEMENT or syn-authentication with an access-list or what happens if someone sends your wordpress blog a malformed GET request which causes it to give the attacker root? Or Slowloris, or one of any thousand other HTTP protocol based attacks?
(I'm being sarcastic but that is the argument you will hear).
Seriously though if there is one thing I wish people would stop doing it is releasing web vulnerability scanners for free (like acunetix), they're easy enough to catch because they use sitemaps but they can be a bit annoying and generate a lot of load =)
More information about the NANOG