[AusNOG] [Fwd: Notice: BIND Security Jul2013 CVE2013-4854]
Heinz N
ausnog at equisoft.com.au
Sat Jul 27 14:16:40 EST 2013
On Sat, 27 Jul 2013, Mark Delany wrote:
>> that malformed crap. You can also filter on undersize & oversized packets.
>> Pretty cheap insurance if you ask me, plus it reduces the named load.
>
> Is that filtering stateful? I'm asking because I'm wondering what your
> definition of "oversized packet" is.
If you have a normal ingress UDP DNS request longer than your MTU then
something is strange (IMHO). Thus if there is no fragmentation, no
connection tracking is needed, and extra packets will fail the test and be
discarded. I keep it all simple. A normal UDP ingress *request* for an
IPv4 host 'A' (or 'MX' etc) record from a non-malicous external host will
always fall within a certain size (depending on the max string size of
your longest domain name). A hard limit at those extremes works just fine.
Obviously if you have an external secondary or other trusted DNS hosts an
exception(s) should be put into the rules. A filter that stops anything
under 65 bytes nicely kills any "NS ." requests which are trying to use
you in a reflected amplified DNS based attack. The requested domain string
usually falls between bytes 40 & 100. Thus the packet won't be very much
larger than that. A bit of a play with wireshark or tcpdump will give you
what your absolute maximum ingress innocent request length is. Don't
forget to use case-insensitive string compares when string filtering on
local domain names. These are my own opinions.
H.
More information about the AusNOG
mailing list