[lug] using tcpdump to emulate effects of packet dump
D. Stimits
stimits at comcast.net
Thu Jul 17 21:55:38 MDT 2003
Jeffrey Siegal wrote:
> D. Stimits wrote:
>
> > FYI, this machine has a Linux filtering bridge on it, stopping the
> > usually garbage that comes in below port 1024. It isn't acceptable to
> > ban port 1026 udp as this would break a lot of applications, including
> > (randomly) host lookups, as the lowest open udp port is often the
> > recipient of dns replies.
>
>
> I'd run a local caching DNS server, and point your Windows machines at
> that. Then block all incoming packets to your Windows boxes from the
> outside except non-SYN tcp packets.
>
Not possible, this is UDP, no such thing as SYN. Nor are they sending an
initial packet to the windows machine to see if it is there, they simple
flood a UDP spam into port 1026, connectionless. The only way to tell if
that is what it is (because it could be going to a linux machine) is by
the content of the packet. ZoneAlarm does not seem to pick it up because
it has had port 1026 UDP enabled in order to run the UPS software...it
can't block it without knowing the packet contents, or else without
blocking all of the port 1026 inbound. A caching server will not do the
job (and even if it did, it would have to be a caching bridge...the cost
of getting more IP addresses is not an option).
D. Stimits, stimits AT comcast DOT net
More information about the LUG
mailing list