[j-nsp] Block traceroute and Allow Ping

Stefan Fouant sfouant at gmail.com
Wed Sep 30 12:45:02 EDT 2009


On Wed, Sep 30, 2009 at 11:44 AM, David Ball <davidtball at gmail.com> wrote:

>   If I'm not mistaken, this year's migration to DNS servers
> supporting randomized source UDP ports (based on the Kaminsky thing)
> may throw a wrench into some notions of filtering UDP traffic across
> their network.  I know we had issues with it.
>
> > On Wed, Sep 30, 2009 at 5:09 AM, Masood Shah <masoodshah at juniper.net>
> wrote:
> >
> >>
> >> If you are REALLY paranoid, you can DROP all UDP traffic and then only
> open
> >> the ports that you have services running on. Sometimes this is easier
> said
> >> than done though.
>

I think it really boils down to whether you are filtering Source Ports vs.
Destination Ports.  In the DNS case, there is rarely a need to block Source
Ports, but it certainly would be prudent in certain circumstances to allow
Destination Port 53 and then block everything else.  Those who support this
model shouldn't be affected by the newer versions of BIND and other
resolvers which support larger Source Port pools... (BTW, I am talking from
the perspective of a DNS provider... if we're dealing with a customer side
filtering inbound traffic, the above model should be reversed).

-- 
Stefan Fouant


More information about the juniper-nsp mailing list