Risks of patched servers behind de-randomizing NAT
Alan Clegg
Alan_Clegg at isc.org
Thu Jul 31 20:45:16 UTC 2008
David Carmean wrote:
> I seem to have lost a message where somebody from ISC (Paul?) was going to
> release an updated/new advisory regarding the source-port de-randomizing
> effects of many NAT implementations will have upon patched servers.
I don't know what Paul (or whoever) was going to say, but I'll say the
following:
If I can get your nameserver to resolve a specific query (consider, as
Evan said earlier, an e-mail with a link in it that someone in your
organization might click on), and that query is from a device that shows
up on the Internet as a resolver with non-random source ports, I may
very well be able to poison your cache.
Consider that there are other ways to force "internal" servers to do
predictable outbound queries (think about the SMTP protocol for a moment)...
Randomize the port numbers.
Please.
AlanC
More information about the bind-users
mailing list