[AusNOG] [Fwd: Notice: BIND Security Jul2013 CVE2013-4854]

Mark Andrews marka at isc.org
Sat Jul 27 23:34:33 EST 2013 

In message <alpine.LNX.2.00.1307271354170.25351 at servex.equisoft.com.au>, Heinz 
N writes:
> 
> On Sat, 27 Jul 2013, Mark Delany wrote:
> 
> >> that malformed crap. You can also filter on undersize & oversized packets.
> >> Pretty cheap insurance if you ask me, plus it reduces the named load.
> >
> > Is that filtering stateful? I'm asking because I'm wondering what your
> > definition of "oversized packet" is.
> 
> If you have a normal ingress UDP DNS request longer than your MTU then 
> something is strange (IMHO). Thus if there is no fragmentation, no 
> connection tracking is needed, and extra packets will fail the test and be 
> discarded.  I keep it all simple. A normal UDP ingress *request* for an 
> IPv4 host 'A' (or 'MX' etc) record from a non-malicous external host will 
> always fall within a certain size (depending on the max string size of 
> your longest domain name). A hard limit at those extremes works just fine. 
> Obviously if you have an external secondary or other trusted DNS hosts an 
> exception(s) should be put into the rules. A filter that stops anything 
> under 65 bytes nicely kills any "NS ." requests which are trying to use 
> you in a reflected amplified DNS based attack. The requested domain string 
> usually falls between bytes 40 & 100. Thus the packet won't be very much 
> larger than that. A bit of a play with wireshark or tcpdump will give you 
> what your absolute maximum ingress innocent request length is. Don't 
> forget to use case-insensitive string compares when string filtering on 
> local domain names. These are my own opinions.

And you just showed the world you have no clue about how IP actually
works.  512 bytes was choose for DNS/UDP because it fit within the
minimum reassembly size allowing for headers and some options.  You
seem to be under the illusion that DNS packet with a 512 byte payload
will never be fragmemented.  Even a 100 byte DNS packet can be
fragmented.

This is the sort of idiotic thinking that leads to load balancers
that only answer A queries and drops everything else and in the
process stuff up the rest of the world when it tries to deploy
something new that is depending apon nameserver RESPONDING to
queries.

B.T.W.  Your packet size filters won't help you with this one.

Mark

> H.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the AusNOG mailing list