how-to block ads
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to DavidGGG
Re: [Kerio 2.x] Kerio 2.1.5 "for Dummies"
said by DavidGGG  :Still, I can not see how specifying DNS server per application helps - any vicious application trying to contact the internet surely already knows the IP address it wants, and has no use for my DNS server? Well surprisingly, no. Most self replicating worms like to use some kind of 'random' component. It is much more difficult to ensure high chance of success in connecting to some generated IP than some generated DNS name. For example, some worms have a database of high level domains, and then generate some kind of address ending eg. »highleveldomain.com/zassd345k.htm
Furthermore, the widespread nature of DNS has made many allow DNS traffic without any type of filtering (and no home software firewall is able to perform filtering at the Application level of the OSI layer). It's possible to do all kinds of interesting things by playing around with the DNS protocol (see Dan Kaminsky's research). We've yet to see widespread usage of these techniques by malware in the wild, but they are becoming more common.
said by DavidGGG :But I have to allow TCP and port 80 at the very least, and why would a hijacker use a different port or protocol? The common answer is laziness and the concept of standard (IANEA registered) port numbers. Say for example, someone creates a parasitic bot that attaches itself to Firefox and attempts connects to an IRC server. Unless, the server operator has set up the IRC daemon differently, the default port the bot will connect to will be 6667. | |
DavidGGG
join:2007-07-06
Chesterfield, VA
2 edits | Seems like the only process that ever contacts the DNS server on my XP machine is svchost, so it's easy to allow only svchost. I'll do that, and log if any program fails to connect to the DNS server (but so far it hasn't happened). Still, what I know about svchost is that DLLs run through it. So why can't a virus use svchost as well? Anyway, it's a bit safer now I guess.
Regarding specifying port numbers for the web browser: Wouldn't that be a pain in the butt? Just by reading the port numbering standard, it seems I should allow 80, 81, 443, 591, 8008 and 8080, and then also 20, 21, 989 and 990 for ftp, and probably more stuff when connecting to secure sites or other protocols which I don't know much about, and even if I got all that right, it happens from time to time I want to follow a link to a site with a specified, non-standard port number. Seems like a never ending story trying to set up all possible ports. Or maybe you or someone else with lots of experience actually have a proper list of ports that you recommend?!
I also read something about Dan Kaminsky's tricks with DNS (suppose you mean »www.doxpara.com/bo2004.ppt). Seems DNS servers are a way to send at least small amounts of data. There are security holes everywhere in my damned computer, arent there! Good thing I just limited my DNS rule to two IPs and one application...!
A couple of updates to my original post:
a) I've moved a couple of my P2P programs up above the rule that blocks port 53, since some seem to make use of it to bypass some local firewall (!). So my advice would be to check the log while running P2P and if attempts are made on port 53 by P2P programs, you might want to move the rules up, to increase connectivity.
b) I read some more about container files, and it seems sound files are probably also always safe (.WAV, .MP3 etc), since apparently they can hold only sound (what a brilliant idea - just sound in sound files!) and some tags. | |
|
