TCP-ACK vulnerability (was RE: SSH on the router)

Christopher L. Morrow christopher.morrow at mci.com
Thu Jun 10 17:18:03 UTC 2004


On Thu, 10 Jun 2004, joshua sahala wrote:

> On (10/06/04 15:26), Christopher L. Morrow wrote:
> >
> > dns is your friend here :( People love to name things such that they are
> > easy to remember. cat5500.floor2.build3.you.com
> >
>
> only if the dns/security/network/whatever admins are stupid enough to

s/stupid/careless/ || s/stupid/unknowing/ || s/stupid/<pick your favorite
reason why users do dumb things>/

> let that zone be queried on their public facing dns servers.  bind
> allows for the filtering of queries, so your noc/engineering/etc address
> blocks can query that zone (if it requires that there is an external dns
> server for that zone).  granted this is only obscuring things a bit, it

right, and as Sean pointed out to ... Alexei earlier: "Worms do this for
you" (maybe he said port scanners/banner-grabbers) point being obscurity
isn't really buying you anything :(

> isn't really all that different that having a (semi-)seperate management
> network.
> if you don't have it set up like this, or don't know how, then buy
> dns/bind (or an equivalent book) and/or hire someone who does.

Sure, you know this, I know this, Sean knows this and apparently Alexei
knows this (other present company of list included probably as well) but
Joe SOHO Networker doesn't necessarily know this, nor does his corporate
'security/secretary' person know this :( (or even have the power to change
it most times).  So, yes, if you think ahead, plan for the worst and make
security part of your initial design you are ok. What percentage does
this? I'd bet less than the AV/Upgrade percentages :(

-Chris



More information about the NANOG mailing list