Re: Risks of patched servers behind de-randomizing NAT
David Carmean wrote:[color=blue]
> I seem to have lost a message where somebody from ISC (Paul?) was going to
> release an updated/new advisory regarding the source-port de-randomizing
> effects of many NAT implementations will have upon patched servers.[/color]
I don't know what Paul (or whoever) was going to say, but I'll say the
If I can get your nameserver to resolve a specific query (consider, as
Evan said earlier, an e-mail with a link in it that someone in your
organization might click on), and that query is from a device that shows
up on the Internet as a resolver with non-random source ports, I may
very well be able to poison your cache.
Consider that there are other ways to force "internal" servers to do
predictable outbound queries (think about the SMTP protocol for a moment)...
Randomize the port numbers.