Comments on: Windows Packet Filtering: The Very Least You Can Do For Security

By: Ben D.

Ben D. — Tue, 16 Dec 2008 00:00:00 +0000

Sorry for the trailing sentence fragment and the relatively useless DefCon link. Here’s a more useful link to Kaminsky’s own summary of the vulnerability:

http://www.doxpara.com/?p=1204

The short story is: stay patched and DON’T disable source-port randomization.

By: Ben D.

Ben D. — Tue, 16 Dec 2008 00:00:00 +0000

Might be mistaken, but I’m pretty sure it significantly reduces security to force DNS to always send requests from the same port. I was under the impression, after the recent hullabaloo about the Kaminsky DNS vulnerability, that the random source port is one of the crucial factors in preventing spoofed DNS responses.

I’m pretty sure that it’s trivial to spoof the source-IP of a UDP packet, because UDP is a connection-less protocol. So "filtering" UDP packets, firewall-style, doesn’t really mean anything.

But if you only pay attention to DNS response packets that arrive on a port from which you sent a query, then you’ve significantly narrowed the attack surface.

OTOH, if your attacker knows that you *always* expect DNS responses on port 53, then you’ve given away a bit of the game.

And when you can’t trust DNS, as Dan Kaminsky pointed out so chillingly at DefCon 16 last August, you really can’t trust anything.

http://www.defcon.org/html/defcon-16/dc-16-speakers.html#Kaminsky

Packet-filtering DNS is a bit of a red herring anyway, I think, as long as you’re doing DNS via UDP. Isn’t the source-IP of a UDP packet trivially spoofed, since it’s a connection-less protocol? So in fact the

By: funky

funky — Sun, 30 Sep 2007 00:00:00 +0000

Thank you very much or your help! I’ve spent a few hours while finding why dns is not working after turning on packet filtering. I’ve thought, that it may be answering-port related, but I definetely couldn’t find how to change it. You saved me

By: Andrew S.

Andrew S. — Thu, 13 Sep 2007 00:00:00 +0000

Daryl!
It’s very useful security post about win os.
Nice manual. Thanks.

With best wishes…

By: Nat Papovich

Nat Papovich — Wed, 07 Mar 2007 00:00:00 +0000

Daryl, a few years back, I put a Win2k server right onto the internet for a couple days as a short-term solution for a needy client.

Within about 24 hours, my ISP (business class DSL) called me and said that I was running an open SMTP relay and had been broadcasting spam for the last six hours. I was humbled, shamed, and very apologetic. Simply disabling the SMTP and RPC services solved the problem immediately and I eventually closed off the ports like you mentioned in this post.

Been there, done that!