[Dshield] Re: Risk Assessment

Mar Matthias Darin BDarin at tanaya.net
Sun Oct 24 08:51:26 GMT 2004


Hello, 

> If you need to use tcpdump to know that your webserver doesn't use UDP
> then you are really missing the point.

Not really...  Do a port 80 lookup on Neohapsis and oth public services, 
including the /etc/services on every standard linux distro.  I'd say that IS 
the point. 

> ...and risk breaking some protocols in some corner cases that you never
> saw in your hasty testing.

4 years is hardly hasty...  Since I installed the software, pay the bills, 
repair and clean the machine when needed, there isn't a "corner case" to 
begin with. 

>> 5.  Severe limits om my email server:
>>    1.  No literal ip connections.
> 
> I think you mean "no literal IP addresses in the HELO."  Every
> connection is a "literal IP" at the network stack layer.

Correct...  Also against RFC, but see above. 

>>    4.  Mail is not accepted from any IP address that does NOT have a
>>        reverse DNS lookup.
> 
> Try that on a large server and see how well it works.  You will find
> that you get a lot of false positives.  Yes, there are lots of clueless
> mail admins that run servers without rDNS, but that's life.

My server handles a million people a day...  Its not Yahoo or MSN, but 
none-the-less, it is quite significant for my equipment. 

It may be life for them, but these policies stop 30,000 to 40,000 spams a 
day and at least a thousand virus...  my users call it effeciency to login 
to their account and maybe have one spam/day.  Are your stats as effecient? 

>> 6.  No ICMP packets allowed at all.
> 
> Now this is just idiotic.  You should at least allow type 3/code 4
> (Needs Fragmentation) so that you don't break path MTU discovery.  See
> also <http://alive.znep.com/~marcs/mtu/>.  It's also probably good to
> enable type 11/code 0 (Time Exceeded) so that traceroute works.  And
> finally 8/0 and 0/0 for ping.  If you really want to disable ping then
> filter it, but I think that's false security.  If you think that having
> traceroute and ping is a security vulnerability then you really need to
> read more about how TCP/IP works and stop reading rants from steve
> gibson and the like.  Certainly you want to filter most other ICMP types
> but blindly filtering ALL ICMP is bad, it's "goober with a firewall"
> syndrome - "OH NO A PING!  HAXX0RS ARE PINGING ME!"

Tell that to Ebay, Yahoo, and Amazon at the very leat during the Code Red 
fiascal.  I am well versed on ICMP...  thats why its blocked.  As far as 
breaking anything... hasn't happen since I built my server... 

When YOU pat my bills then YOU can decide what is idiotic.  Until then, as 
long as my users are happy...  thats the way it stays.  They like the 
service, I like the profit tree..  Its works for all of us. 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20041024/e7f6b938/attachment.bin


More information about the list mailing list