Great Circle Associates Firewalls
(April 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Exploiting UDP Ports
From: Brent @ GreatCircle . COM (Brent Chapman)
Date: Sun, 16 Apr 1995 18:48:23 -0800
To: fc @ all . net (Dr. Frederick B. Cohen), firewalls @ greatcircle . com 
At 11:52 4/16/95, Dr. Frederick B. Cohen wrote:
>        I just added UDP port scanning to the SATAN portion of our
>testing service, and now find that a hole (not whole) new world is
>showing up on the scans.
>
>        Does anyone know if there is a version of syslog that does not
>run over UDP?

What good would that do without recompiling everything that uses syslog?
Source code isn't even available for some of the most interesting things
that use syslog, like all the various routers and other network hardware
out there.

>Does anyone have a utility (similar to telnet?) that will
>let me create UDP packets from shell scripts so I can test UDP attacks
>from shell scripts?

Not that I know of.  It would be a very small C program or perl script...
Get a basic text on UNIX network programming.

>Is there a UDP wrapper of some sort that could be
>judiciously applied (realizing of course that source information in UDP
>packets is truly trivial to forge) by people wanting to close down UDP
>attacks?

What attacks?  That is, attacks against what services?

Basicly, with UDP, you need to use some sort of packet filtering mechanism.
You can't use something like TCP Wrappers, because that only works for
serves started by inetd, and most UDP-based servers are not started by
inetd.

The big problem with UDP is not the protocol itself, but the services that
use it, like NFS and NIS.  Blocking access to those services is further
complicated by the fact that they're RPC-based, which means that they don't
run on a fixed port number on every machine; in fact, it's not unusual to
find them on a different port number every time the machine reboots.  NFS
seems to always use port 2049, but I don't see any reason why it would
_have_ to, and I sure wouldn't want to base any security on the assumption
it _would_.

>        I'm not completely certain, but I believe that anyone running
>UDP on a real computer (not just a router) exposed to the Internet is
>certain to be vulnerable to denial of service attacks of a wide variety.
>Is three anyone who believes otherwise, and if so why?

What makes you think you're any more vulnerable to denial of service
attacks via UDP than via TCP?


-Brent

----------------------------------------------------------------------
For info about the Internet Security Firewalls Tutorial and a schedule
of upcoming dates, please send email to Tutorial-Info @
 GreatCircle .
 COM
----------------------------------------------------------------------
Brent Chapman                                 Great Circle Associates
Brent @
 GreatCircle .
 COM                         1057 West Dana Street
+1 415 962 0841                               Mountain View, CA  94041
Indexed By Date Previous: Exploiting UDP Ports
From: fc @ all . net (Dr. Frederick B. Cohen)
Next: Crisco rooters?.. Let's change the subject..
From: Bob Beck <beck @ cs . ualberta . ca>
Indexed By Thread Previous: Re: Exploiting UDP Ports
From: Christian Wettergren <cwe @ it . kth . se>
Next: Re: Exploiting UDP Ports
From: Barney Wolff <barney @ databus . com>
Google
 
Search Internet Search www.greatcircle.com