Tom responded:
> > Then maybe you shouldn't be letting it through your firewall in the
> > first place. I certainly would not recommend letting unknown protocols
> > pass across your firewall.
> > What I was saying is that if you do know the dynamics of the particular
> > protocol and by design there is a single response packet for each
> > request packet, then flagging connections with multiple responses might
> > be useful in identifying potential attacks. This option needs to be
> > configurable on the firewall.
>
> With archie, you can know the protocol all your want, and you still don't
> know how many response packets there will be for a request, because the
> number of response packets depends on the number of archive hits. You're
> proposing a UDP forwarding scheme that can't be used for 95% of its
> possible applications, because that's how much of UDP forwarding is used
> for archie. (This is a WAG, of course, but that's about the percentage of
> questions on udprelay that are about archie.)
Don't put words in my mouth. If you read my statement you will see that
I said that Fred's idea of flagging UDP "connections" was ONLY valid IF
the protocol in question had a single response packet per request
packet. For other protocols I said that Fred's proposal wouldn't work.
If you can determine the number of response packets, then only allow
that many. For archie and such, keep the connection open for a some
fixed time after that last packet was recieved.
geoff
References:
|
|
