nanog mailing list archives
Re: TCP-ACK vulnerability (was RE: SSH on the router)
From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Thu, 10 Jun 2004 17:18:03 +0000 (GMT)
On Thu, 10 Jun 2004, joshua sahala wrote:
On (10/06/04 15:26), Christopher L. Morrow wrote:dns is your friend here :( People love to name things such that they are easy to remember. cat5500.floor2.build3.you.comonly if the dns/security/network/whatever admins are stupid enough to
s/stupid/careless/ || s/stupid/unknowing/ || s/stupid/<pick your favorite reason why users do dumb things>/
let that zone be queried on their public facing dns servers. bind allows for the filtering of queries, so your noc/engineering/etc address blocks can query that zone (if it requires that there is an external dns server for that zone). granted this is only obscuring things a bit, it
right, and as Sean pointed out to ... Alexei earlier: "Worms do this for you" (maybe he said port scanners/banner-grabbers) point being obscurity isn't really buying you anything :(
isn't really all that different that having a (semi-)seperate management network. if you don't have it set up like this, or don't know how, then buy dns/bind (or an equivalent book) and/or hire someone who does.
Sure, you know this, I know this, Sean knows this and apparently Alexei knows this (other present company of list included probably as well) but Joe SOHO Networker doesn't necessarily know this, nor does his corporate 'security/secretary' person know this :( (or even have the power to change it most times). So, yes, if you think ahead, plan for the worst and make security part of your initial design you are ok. What percentage does this? I'd bet less than the AV/Upgrade percentages :( -Chris
Current thread:
- Re: TCP-ACK vulnerability (was RE: SSH on the router), (continued)
- Re: TCP-ACK vulnerability (was RE: SSH on the router) Stephen J. Wilcox (Jun 09)
- Re: UDP-TCP-ACK-SYN Attacks Pete (Jun 09)
- Re: TCP-ACK vulnerability (was RE: SSH on the router) Christopher L. Morrow (Jun 09)
- Re: TCP-ACK vulnerability (was RE: SSH on the router) Alexei Roudnev (Jun 09)
- Re: TCP-ACK vulnerability (was RE: SSH on the router) Sean Donelan (Jun 10)
- Re: TCP-ACK vulnerability (was RE: SSH on the router) Stephen J. Wilcox (Jun 10)
- Re: TCP-ACK vulnerability (was RE: SSH on the router) James (Jun 10)
- Re: TCP-ACK vulnerability (was RE: SSH on the router) Alexei Roudnev (Jun 10)
- Re: TCP-ACK vulnerability (was RE: SSH on the router) Stephen J. Wilcox (Jun 11)
- Re: TCP-ACK vulnerability (was RE: SSH on the router) Stephen J. Wilcox (Jun 09)
- Re: TCP-ACK vulnerability (was RE: SSH on the router) Christopher L. Morrow (Jun 10)
- Message not available
- Re: TCP-ACK vulnerability (was RE: SSH on the router) Christopher L. Morrow (Jun 10)