[Dshield] Re: Risk Assessment

Brian Dessent brian at dessent.net
Sun Oct 24 22:09:11 GMT 2004


Mar Matthias Darin wrote:

> > ...and risk breaking some protocols in some corner cases that you never
> > saw in your hasty testing.
> 
> 4 years is hardly hasty...  Since I installed the software, pay the bills,
> repair and clean the machine when needed, there isn't a "corner case" to
> begin with.

So, you disregard protocol specs and it hasn't bitten you /yet/, that
you've noticed.  Example: most of the time DNS uses only UDP.  But, for
large queries and zone transfers it can use TCP.  Let's consider the
poor readers of the list that, having followed your advice, said to
themselves, "Gee, I don't see any TCP being used by DNS, so I'm not
going to allow TCP through my firewall on 53."  And then a couple of
years down the line they to setup an off-site secondary nameserver, the
zone transfers inexplicably fail and no one knows why.  Much hair
pulling ensues.  And name resolution fails very infrequently for some
obscure sites because only the first 512 bytes of the response comes
through.  That's not the kind of behavior I'd encourage in an
administrator: "I'll just let through what seems to be needed, not what
the specifications call for."

> Tell that to Ebay, Yahoo, and Amazon at the very leat during the Code Red
> fiascal.  I am well versed on ICMP...  thats why its blocked.  As far as
> breaking anything... hasn't happen since I built my server...

Again, you're just in denial that there could possibly be anything wrong
because you chose to block something that is mostly never used and you
personally haven't noticed any side effects.  Nevertheless, it's an
important network functionality and blocking it does no good whatsoever
other than make you feel all warm and tingly because "I block all
ICMP."  I don't think the people that happen to have a small MTU that
can't load your site because they depend on pMTUd are really going to
agree with you there.

> When YOU pat my bills then YOU can decide what is idiotic.  Until then, as
> long as my users are happy...  thats the way it stays.  They like the
> service, I like the profit tree..  Its works for all of us.

You can do whatever you want with your equipment and your network, that
was not my point.  My point was that when you go advocating your silly
methods to the rest of the world as "best practices" then you should be
prepared for someone to call you on it.  Good network stewardship calls
for following the specifications, not breaking them because you feel
like it out of some misguided sense of security.

Brian



More information about the list mailing list