Re: Risks of patched servers behind de-randomizing NAT

[color=blue]
> Can we get a reading from Those Who Know about how likely it is that
> BadGuys can trick a client inside such a firewall to facilitate an attack
> against an internal recursive server (said server can query through the
> firewall).[/color]

Hey, all you guys inside the firewall--you should totally click on this
hilarious URL! [url]http://www.evilwebpage.tld[/url]

It's pretty much that easy. Someone clicks, queries go out, answers
come back--and some of the answers are going to be poisoned.

A NAT router that obscures unpredictable source ports and reassigns
them to predictable ones is eliminating the best defense we have.

--
Evan Hunt -- [email]evan_hunt@isc.org[/email]
Internet Systems Consortium, Inc.