Re: HW and SW threats: how to block?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 04/10/2018 06:13 PM, Ed Greshko wrote:
> On 04/11/18 07:27, Rick Stevens wrote:
>> I seem to recall the same thing, that iptables opens incoming UDP port
>> 53 for some period of time if it saw an outgoing UDP port 53 request.
>> And I, like you, can't recall what that period was--although I think
>> it was 60 seconds. That's still more than the the basic Linux resolver
>> library's limit.
> 
> 
> That isn't how DNS requests work.
> 
> When a client makes a DNS request the destination port is 53 and the source port is a
> random high port. 
> 
> Frame 3: 77 bytes on wire (616 bits), 77 bytes captured (616 bits)
> Ethernet II, Src: PcsCompu_16:b2:62 (08:00:27:16:b2:62), Dst: Synology_76:13:a8
> (00:11:32:76:13:a8)
> Internet Protocol Version 4, Src: 192.168.1.191, Dst: 192.168.1.1
> User Datagram Protocol, Src Port: 43629, Dst Port: 53
> Domain Name System (query)
> 
> The client then listens on that same random port and the sever response is from
> source port 53
> 
> Frame 4: 253 bytes on wire (2024 bits), 253 bytes captured (2024 bits)
> Ethernet II, Src: Synology_76:13:a8 (00:11:32:76:13:a8), Dst: PcsCompu_16:b2:62
> (08:00:27:16:b2:62)
> Internet Protocol Version 4, Src: 192.168.1.1, Dst: 192.168.1.191
> User Datagram Protocol, Src Port: 53, Dst Port: 43629
> Domain Name System (response)

Yes, I probably didn't say it well. I was inferring that if an outgoing
UDP destination port 53 request was sent, then I think the iptables
conntrack plugin opens incoming UDP traffic with a source port of 53
for some period of time, since this was (theoretically) a DNS request
that's expecting an answer.

Sorry if I wasn't clear and I'm not 100% sure if conntrack actually does
the heavy lifting. I've never looked at the code.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-              Never eat anything larger than your head              -
----------------------------------------------------------------------
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux