On Fri, 26 Feb 2016, Nick Hilliard wrote:
Traffic from dns-spoofing attacks generally has src port = 53 and dst
port = random. If you block packets with udp src port=53 towards
customers, you will also block legitimate return traffic if the
customers run their own DNS servers or use opendns / google dns / etc.
Sure, it's a very interesting discussion what ports should be blocked or
not.
http://www.bitag.org/documents/Port-Blocking.pdf
This mentions on page 3.1, TCP(UDP)/25,135,139 and 445. They've been
blocked for a very long time to fix some issues, even though there is
legitimate use for these ports.
So if you're blocking these ports, it seems like a small step to block
UDP/TCP/53 towards customers as well. I can't come up with an argument
that makes sense to block TCP/25 and then not block port UDP/TCP/53 as
well. If you're protecting the Internet from your customers
misconfiguraiton by blocking port 25 and the MS ports, why not 53 as well?
This is a slippery slope of course, and judgement calls are not easy to
make.
--
Mikael Abrahamsson email: swm...@swm.pp.se
