port randomization range

Wolfgang S. Rupprecht wolfgang.rupprecht+gnus200807 at gmail.com
Sun Jul 27 12:45:51 UTC 2008


Is there some way to limit the range of ports that bind-9.5.0-P1 uses
in it's source port randomization?  Bind using the ports in the 0-32k
range is causing me problems with respect to a hack I have in my
firewall.  

It seems that slow authoritative nameservers are triggering the scan
detector.  In particular, if a nameserver sends packets after the
firewall has already removed the state that was set for the outgoing
query packets, then the return packet will look like a probe.  This is
doubly so if the packets happen to fall on a port that is typically
associated with that swiss-cheese operating system from Redomond WA.

At this point, I'd rather lose one bit of randomization by limiting
the port number to 15 bits than lose my firewall's cold-shoulder hack.
(Yes, I know I should probably reconsider not using that silly hack,
but in practice it seems to work well enough at getting script kiddies
to move on and waste some other person's bandwidth and CPU.)

-wolfgang
-- 
Wolfgang S. Rupprecht			http://www.wsrcc.com/wolfgang/


More information about the bind-users mailing list