[AusNOG] [Fwd: Notice: BIND Security Jul2013 CVE2013-4854]

Heinz N ausnog at equisoft.com.au
Sat Jul 27 14:16:40 EST 2013


On Sat, 27 Jul 2013, Mark Delany wrote:

>> that malformed crap. You can also filter on undersize & oversized packets.
>> Pretty cheap insurance if you ask me, plus it reduces the named load.
>
> Is that filtering stateful? I'm asking because I'm wondering what your
> definition of "oversized packet" is.

If you have a normal ingress UDP DNS request longer than your MTU then 
something is strange (IMHO). Thus if there is no fragmentation, no 
connection tracking is needed, and extra packets will fail the test and be 
discarded. I keep it all simple. A normal UDP ingress *request* for an 
IPv4 host 'A' (or 'MX' etc) record from a non-malicous external host will 
always fall within a certain size (depending on the max string size of 
your longest domain name). A hard limit at those extremes works just fine. 
Obviously if you have an external secondary or other trusted DNS hosts an 
exception(s) should be put into the rules. A filter that stops anything 
under 65 bytes nicely kills any "NS ." requests which are trying to use 
you in a reflected amplified DNS based attack. The requested domain string 
usually falls between bytes 40 & 100. Thus the packet won't be very much 
larger than that. A bit of a play with wireshark or tcpdump will give you 
what your absolute maximum ingress innocent request length is. Don't 
forget to use case-insensitive string compares when string filtering on 
local domain names. These are my own opinions.

H.



More information about the AusNOG mailing list