[148572] in North American Network Operators' Group
RE: DNS Attacks
daemon@ATHENA.MIT.EDU (Drew Weaver)
Wed Jan 18 14:27:47 2012
From: Drew Weaver <drew.weaver@thenap.com>
To: 'Christopher Morrow' <morrowc.lists@gmail.com>, Steven Bellovin
<smb@cs.columbia.edu>
Date: Wed, 18 Jan 2012 14:26:57 -0500
In-Reply-To: <CAL9jLaZmQ_hYRqjYa36P8bPBBs94Ry2J53Aj_EUrPPhQ=iFU1Q@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
-----Original Message-----
From: Christopher Morrow [mailto:morrowc.lists@gmail.com]=20
Sent: Wednesday, January 18, 2012 11:43 AM
To: Steven Bellovin
Cc: nanog@nanog.org
Subject: Re: DNS Attacks
yup... I think roland and nick (he can correct me, roland I KNOW is saying =
this) are basically saying:
permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any
is far, far better than state management in a firewall. Anything more compl=
ex and your firewall fails long before the 7206's interface/filter will :( =
Some folks would say you'd be better off doing some LB/filtering-in-softwar=
e behind said router interface filter, I can't argue with that.
>>>>>
But you don't get the benefit of UNIFIED THREAT MANAGEMENT or syn-authentic=
ation with an access-list or what happens if someone sends your wordpress b=
log a malformed GET request which causes it to give the attacker root? Or S=
lowloris, or one of any thousand other HTTP protocol based attacks?
(I'm being sarcastic but that is the argument you will hear).
Seriously though if there is one thing I wish people would stop doing it is=
releasing web vulnerability scanners for free (like acunetix), they're eas=
y enough to catch because they use sitemaps but they can be a bit annoying =
and generate a lot of load =3D)
-Drew
=20
