Re: [logs] Re: Reliably detecting things like the SQL worm....

From: Michael Batchelder (piranhabrosat_private)
Date: Tue Jan 28 2003 - 05:32:57 PST

  • Next message: Rainer Gerhards: "RE: [logs] Re: Reliably detecting things like the SQL worm...."

    Martin Harriss (martinat_private) wrote:
    
    > Unfortunately, 1434 is a perfectly valid "ephemeral" port.
    > Would you like, for instance, random DNS failures?
    
    This is getting off the topic of logging, but the issue of a UDP
    packet w/source port of 53 being sent to port 1434 should be
    addressable by good firewall technology and good architecture. 
    For simple starters, many firewalls impose pseudo-state on UDP
    through use of timers and basic understanding of
    request-response directions.  Other firewalls can do more
    app-level inspection to ensure that the packets in question are
    legit DNS query/response.  And DNS as an application naturally
    lends itself to proxy-like architecture through forwarder/proxy
    functionality.
    
    Architecturally, I would contend that the ideal design of a
    network that connects to the Internet will not have random
    individual hosts making DNS requests to a public server on the
    opposide side of a firewall.  DNS requests should go through
    one's own forwarder/proxy/local DNS server/whatever so that only
    one or a limited number of entities are sending queries thru a
    firewall to the public Internet.
    
    Those hosts allowed to make such queries should be limited in
    function to just that function, if possible.  We know
    historically that the code for many common DNS servers has had
    their share of security bugs, so said hosts should themselves be
    firewalled off, down to just the connections + directions
    required.  Again, might not be possible, but in any case said
    host should not be running services like SQL Server which have
    high bug potential and tend to be used for end-user data
    handling, and don't typically need connectivity to the public
    world.  It just doesn't make sense to put an app like that on
    the same system as a DNS server/proxy/whatever.
    
    Binky
    
    __________________________________________________
    Do you Yahoo!?
    Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
    http://mailplus.yahoo.com
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 06:44:03 PST