[lug] using tcpdump to emulate effects of packet dump

D. Stimits stimits at comcast.net
Thu Jul 17 21:55:38 MDT 2003


Jeffrey Siegal wrote:

> D. Stimits wrote:
>
> > FYI, this machine has a Linux filtering bridge on it, stopping the
> > usually garbage that comes in below port 1024. It isn't acceptable to
> > ban port 1026 udp as this would break a lot of applications, including
> > (randomly) host lookups, as the lowest open udp port is often the
> > recipient of dns replies.
>
>
> I'd run a local caching DNS server, and point your Windows machines at
> that.  Then block all incoming packets to your Windows boxes from the
> outside except non-SYN tcp packets.
>

Not possible, this is UDP, no such thing as SYN. Nor are they sending an 
initial packet to the windows machine to see if it is there, they simple 
flood a UDP spam into port 1026, connectionless. The only way to tell if 
that is what it is (because it could be going to a linux machine) is by 
the content of the packet. ZoneAlarm does not seem to pick it up because 
it has had port 1026 UDP enabled in order to run the UPS software...it 
can't block it without knowing the packet contents, or else without 
blocking all of the port 1026 inbound. A caching server will not do the 
job (and even if it did, it would have to be a caching bridge...the cost 
of getting more IP addresses is not an option).

D. Stimits, stimits AT comcast DOT net




More information about the LUG mailing list