Filter packets on specific port above a specific size



  • Hi all,

    As per https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html, I'd like to block DNS responses >1024 bytes. Is this possible from the firewall? Or do I need to setup actual DNS stuff to handle all the requests and drop non-compliant ones?



  • I was looking for the same thing but unable to find it. I found something on the forum from back in 2012 saying it wasn't possible. I think local dns is your best option but I haven't been able to find whether or not the built in dnsmasq will filter non complaint responses properly (I don't see any method of filtering based on packet size in dns mask either besides something regarding edns.) Keeping an eye on this thread too myself: https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg10239.html

    Good luck!


  • Rebel Alliance Developer Netgate

    We don't have any way to block based on packet size, and even if we did, you'd have to stop keeping state on DNS so each packet would be tested.

    I wouldn't fall into the "big UDP is bad" trap necessarily.

    Force all DNS through the firewall's resolver (unbound, preferably), enable DNSSEC while you're at it, and use forwaders you trust.

    But more important than any of that, patch your vulnerable stuff.


  • Banned

    Hi again!

    But with some embedded devices running on Linux, it is not possible to patch without new firmware, which may take weeks to arrive (or maybe never…).

    So how is the security of my network devices when I'm using DNS resolver in 2.2.6 with DNSSEC and forward mode (DNS servers hand picked)?

    Should I block the potentially vulnerable devices from any DNS requests for the time being? Would that add some security?

    Regards

    chemlud


  • Netgate

    Ditch the shitty, unpatched devices.


  • Banned

    Direct as usual. Sounds perfect. But how to replace 8 NAS at the same time? What would be your recommendation for SOHO devices with 1-2 TB RAID 0 devices? With frequent firmware patches available?

    In the meantime, what would be a good set of measures at the level of the firewall to keep the network storage functional? :-)


  • Netgate

    If the devices weren't shitty there would be patches. If these are in production and there aren't patches available then someone is letting old shit fester in his network. I know it sucks. It sucks bad. Jim says pfSense cannot filter on packet size so you'll have to put something else inline to implement that workaround.


  • Banned

    Hi again!

    Why don't you answer the questions I asked? About a reasonable alternative to my NAS devices. What would be your advice?

    If there is no package filtering based on size, would it help to lock down any DNS requests for unpatched devices?

    regards!

    chemlud


  • Netgate

    If the device is asked to resolve a name that triggers a malicious response it can be owned. Jim gave you the possible mitigation steps in his post. Patch glibc on the vulnerable devices or take them off the internet.


  • Banned

    OK, no recommendation for any new NAS.

    How about this from the link posted by jimp:

    "A man-in-the-middle (your ISP or an active attacker on your local network) between your client and the resolver may easily exploit this. The DNS resolver you are using doesn't make any difference at all."

    Does that mean the resolver in pfsense won't help me, if the ISP is doing MITM? Or is this covered by DNSSEC?


  • Netgate

    It is unclear to to me whether a relayed response from a third-party resolver (like a local unbound) can exploit this or if it has to be a direct packet from the attacker to the victim. I am inclined to think it's limited to the latter.


  • Banned

    From time to time I ask myself how many people in this world REALLY understand what's going on in this interweb-thing… Maybe 3? More?