Risks of patched servers behind de-randomizing NAT
Evan Hunt
Evan_Hunt at isc.org
Thu Jul 31 21:31:58 UTC 2008
> Can we get a reading from Those Who Know about how likely it is that
> BadGuys can trick a client inside such a firewall to facilitate an attack
> against an internal recursive server (said server can query through the
> firewall).
Hey, all you guys inside the firewall--you should totally click on this
hilarious URL! http://www.evilwebpage.tld
It's pretty much that easy. Someone clicks, queries go out, answers
come back--and some of the answers are going to be poisoned.
A NAT router that obscures unpredictable source ports and reassigns
them to predictable ones is eliminating the best defense we have.
--
Evan Hunt -- evan_hunt at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list