Filter packets on specific port above a specific size

jimp

We don't have any way to block based on packet size, and even if we did, you'd have to stop keeping state on DNS so each packet would be tested.

I wouldn't fall into the "big UDP is bad" trap necessarily.

Force all DNS through the firewall's resolver (unbound, preferably), enable DNSSEC while you're at it, and use forwaders you trust.

But more important than any of that, patch your vulnerable stuff.

2chemlud

Hi again!

But with some embedded devices running on Linux, it is not possible to patch without new firmware, which may take weeks to arrive (or maybe never…).

So how is the security of my network devices when I'm using DNS resolver in 2.2.6 with DNSSEC and forward mode (DNS servers hand picked)?

Should I block the potentially vulnerable devices from any DNS requests for the time being? Would that add some security?

Regards

chemlud

Derelict

Ditch the shitty, unpatched devices.

2chemlud

Direct as usual. Sounds perfect. But how to replace 8 NAS at the same time? What would be your recommendation for SOHO devices with 1-2 TB RAID 0 devices? With frequent firmware patches available?

In the meantime, what would be a good set of measures at the level of the firewall to keep the network storage functional? :-)

Derelict

If the devices weren't shitty there would be patches. If these are in production and there aren't patches available then someone is letting old shit fester in his network. I know it sucks. It sucks bad. Jim says pfSense cannot filter on packet size so you'll have to put something else inline to implement that workaround.

2chemlud

Hi again!

Why don't you answer the questions I asked? About a reasonable alternative to my NAS devices. What would be your advice?

If there is no package filtering based on size, would it help to lock down any DNS requests for unpatched devices?

regards!

chemlud

Derelict

If the device is asked to resolve a name that triggers a malicious response it can be owned. Jim gave you the possible mitigation steps in his post. Patch glibc on the vulnerable devices or take them off the internet.

2chemlud

OK, no recommendation for any new NAS.

How about this from the link posted by jimp:

"A man-in-the-middle (your ISP or an active attacker on your local network) between your client and the resolver may easily exploit this. The DNS resolver you are using doesn't make any difference at all."

Does that mean the resolver in pfsense won't help me, if the ISP is doing MITM? Or is this covered by DNSSEC?

Derelict

It is unclear to to me whether a relayed response from a third-party resolver (like a local unbound) can exploit this or if it has to be a direct packet from the attacker to the victim. I am inclined to think it's limited to the latter.

2chemlud

From time to time I ask myself how many people in this world REALLY understand what's going on in this interweb-thing… Maybe 3? More?