Le jeudi 02 septembre 2010 à 15:50 +0200, Amir Herzberg a écrit :
> We investigate some issues related to DNS poisoning, and specifically,
> an attack that poisons DNS cache, similar to Kaminski's attack, but
> that works even if the resolver selects random ports, as long as
> resolver is connected to the Internet via NAT. In particular, we
> tested the attack for the NetFilter NAT.
>
> For obvious reasons, I prefer at this point to share details only with
> developers of NAT devices. If you are such developer, please contact
> me and I can send you the details (paper).
> Feel also welcome to forward the messages to individuals/forums which
> may be relevant (i.e., developers).
>
> I apologize for not being able to promise to respond to requests from
> people who are just curious (i.e., not NAT developers). Thanks for
> your understanding.
> --
Strange, this should be supported since 2007 (port randomization for
nat)
commit 41f4689a7c8cd76b77864461b3c58fde8f322b2c
Author: Eric Leblond <eric@xxxxxx>
Date: Wed Feb 7 15:10:09 2007 -0800
[NETFILTER]: NAT: optional source port randomization support
This patch adds support to NAT to randomize source ports.
Signed-off-by: Eric Leblond <eric@xxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
If using MASQUERADE, its a very easy setup :
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE --random
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
