From: Jay Beale (jay@bastille-linux.org)
Date: Fri Aug 06 2004 - 12:35:06 EDT
Bradley D. Moore wrote:
> It sounds like a simple (non-stateful) packet filter (router or
> host-based) sits between you and your test subject. Unable to detect
> "state" in UDP packets (I suppose "relatedness" would be more
> precise), there's probably an "allow udp src=53" rule
> If that's true, it's very old school technology (IMHO).
This is a slight tangent, but one worth noting on this mailing list.
While the filter could be stateless, it could also be stateful but
simply be horrible at DNS with respect to DNS. Microsoft's Internet
Connection Firewall, for instance, will open its resolver's port to all
IP addresses whenever it has sent out a request to its DNS server in
the last 60 seconds. There's a great Phrack article on this, quoted below.
- Jay
From Phrack: (http://www.phrack.org/phrack/62/p62-0x03_Linenoise.txt)
It can be seen that when the Windows XP computer sent a UDP packet from
port 1026 to port 53 of the DNS server, the firewall allowed all incoming
UDP traffic to port 1026, regardless of the source IP address or source
port of the incoming traffic. Such incoming traffic was allowed to
continue until the firewall decided to block access to port 1026, which
occurred when there was no incoming traffic to port 1026 for a defined
period of time. This timeframe was between 61 seconds and 120 seconds, as
it appeared that the firewall checked once per minute to determine if
access to ports should be revoked due to more than 60 seconds of
inactivity. Assuming that users connected to the Internet would typically
perform a DNS query at least every minute, incoming access to port 1026
would always be granted.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT