[ntp:security] Safety of machines behind firewalls in running pre 4.2.8

Brad Knowles brad at shub-internet.org
Sat Dec 20 16:04:09 UTC 2014


On Dec 19, 2014, at 11:22 PM, Philip Gladstone <philip at gladstonefamily.net> wrote:

> In this case, the firewall will forward the attack packet through to the vulnerable server as it appears to be a response to a request that the server sent.

Isn’t this kind of attack possible for virtually every single Internet service in existence?  Machine A chooses to contact Machine B, and Machine B responds in a way that is malicious, but since Machine A contacted it the response from Machine B is seen as a legitimate reply?

Unless the firewall knows enough about each and every protocol that passes through in order to sanitize all the packets and only allow the known good ones through, I don’t see any way to resolve this issue.

And if you do go the route of requiring the firewall to have complete and perfect knowledge of every single protocol and every single implementation of said protocol, isn’t that a self-DoS?

-- 
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>



More information about the security mailing list