DNS Attacks

Drew Weaver drew.weaver at thenap.com
Wed Jan 18 19:26:57 UTC 2012

-----Original Message-----
From: Christopher Morrow [mailto:morrowc.lists at gmail.com] 
Sent: Wednesday, January 18, 2012 11:43 AM
To: Steven Bellovin
Cc: nanog at nanog.org
Subject: Re: DNS Attacks

yup... I think roland and nick (he can correct me, roland I KNOW is saying this) are basically saying:

permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any

is far, far better than state management in a firewall. Anything more complex and your firewall fails long before the 7206's interface/filter will :( Some folks would say you'd be better off doing some LB/filtering-in-software behind said router interface filter, I can't argue with that.


But you don't get the benefit of UNIFIED THREAT MANAGEMENT or syn-authentication with an access-list or what happens if someone sends your wordpress blog a malformed GET request which causes it to give the attacker root? Or Slowloris, or one of any thousand  other HTTP protocol based attacks?

(I'm being sarcastic but that is the argument you will hear).

Seriously though if there is one thing I wish people would stop doing it is releasing web vulnerability scanners for free (like acunetix), they're easy enough to catch because they use sitemaps but they can be a bit annoying and generate a lot of load =)



More information about the NANOG mailing list