[lug] using tcpdump to emulate effects of packet dump

D. Stimits stimits at comcast.net
Thu Jul 17 22:14:25 MDT 2003 

Jeffrey Siegal wrote:

> D. Stimits wrote:
>
> >> I'd run a local caching DNS server, and point your Windows machines at
> >> that.  Then block all incoming packets to your Windows boxes from the
> >> outside except non-SYN tcp packets.
> >
> >
> > Not possible, this is UDP, no such thing as SYN. Nor are they sending
> > an initial packet to the windows machine to see if it is there, they
> > simple flood a UDP spam into port 1026, connectionless. The only way
> > to tell if that is what it is (because it could be going to a linux
> > machine) is by the content of the packet.
>
>
> Right, just block all UDP going to your Windows machines from the
> outside.  You don't need it.  There are some applications that use UDP
> over the Internet (media players mostly) but they all have TCP fallback
> because so many firewalls won't pass UDP anyway.


The same machine is linux or windows, depending on what it is booted to 
at the moment. Blocking it from the bridge will break the linux side.

The linux side does not *always* break when port 1026 is blocked, but 
due to the way ports are used for DNS, sometimes name servers *do* use 
that port...it is a response to what the requesting box says is an open 
port when under linux. If by random chance a dns request has 1026 open 
as the first udp port above 1023, then dns will hang.

>
> The purpose of the caching server is to allow DNS to work without having
> the Windows boxes doing the queries themselves.  They query the caching
> server, the caching server does the queries.  The filter *does* allow
> UDP to go to the caching server, which is safe because you're running a
> secure operating system (and DNS server there) there, not Windows.  Or
> you can configure it to do its outgoing DNS requests on port 53, and
> block the rest.  Either way.

Doesn't it require an IP address? My bridge has no such requirement, and 
does not even have a route or IP address. A very large number of ports 
are already blocked, such as network neighborhood (virus condominium). 
But let's say I do use this as the implementation...will this hurt the 
company that says pay us or else suffer crashes and annoyances from 
inappropriate popups (I have graphics apps such as Cinema 4D which 
require a reboot if I alt-tab to the popup and desktop...the alt-tab is 
automatically forced in the case of a popup)? I want a solution that I 
can publish that will hurt these extortionists who demand money to stop 
exploiting this weakness and DoSing my machine.

D. Stimits, stimits AT comcast DOT net

More information about the LUG mailing list