The primary issue here is that there is still source address spoofing happening so you have to consider what if this packet was spoofed. DNS uses UDP and is used as a reflector. The small services ports listed generate reply traffic.
Additionally kpasswd and a DNS server can generate a self sustaining traffic loop if it is not suppressed. As for the NAT box that chooses those ports. If you can’t keep the original port it should choose a ephemeral port at random. Choosing a well known port is problematic for lots of reasons. There are ~63500 ephemeral ports. Adding the well known ports into the mix of source ports doesn’t significantly improve anything. If you look at IETF documents for CGNs they say to not use the lower 1024 ports. -- Mark Andrews > On 11 Jun 2019, at 05:44, Warren Kumari <war...@kumari.net> wrote: > > On Mon, Jun 10, 2019 at 12:37 PM Grant Taylor via bind-users > <bind-users@lists.isc.org> wrote: >> >>> On 6/7/19 8:44 PM, Mark Andrews wrote: >>> Named drops those ports as they can be used in reflection attacks. >>> Sane NAT developers avoid those ports for just that reason. The full >>> list is below. >> >> I understand the logic behind avoiding potentially problematic ports. >> >> But I don't understand the actual attack scenario. Is the attack >> against the BIND server? > > The root problem is cache poisoning -- see "The Hitchhiker’s Guide to > DNS Cache Poisoning" Section 3.2 Blind response forgery using birthday > attack ( https://www.cs.cornell.edu/~shmat/shmat_securecomm10.pdf ) > for a reasonable writeup. > It's unclear how much protection using the additional port space > actually helps in practice, but... > > There are many other mitigations, and the "right" answer is "just use DNSSEC". > > W > >> I.e. in an attempt to cause BIND to establish >> a never ending loop of packets between itself and the purported address? >> Or is this an attempt to cause BIND to attack a spoofed source with >> said loop? >> >> Nor do I understand why BIND couldn't differentiate between an actual >> query vs a reflected reply, daytime response, chargen, or time packet. >> >> Will someone please explain what I'm failing to understand? >> >> >> >> -- >> Grant. . . . >> unix || die >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
