lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20080716070721.GA1323@countersiege.com>
Date: Wed, 16 Jul 2008 16:07:21 +0900
From: Ryan McBride <mcbride@...nbsd.org>
To: Thomas Cross <tcross@...ibm.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DNS and NAT (was: DNS and CheckPoint)

Someone just drew my attention to this thread.

On Thu, Jul 10, 2008 at 07:41:32PM -0400, Thomas Cross wrote:
>    We?ve also been wondering whether NAT devices ought to randomly assign
>    UDP source ports, although no NAT vendor that we?re aware of has done
>    this to date. 

OpenBSD's packet filter, pf (also available in the other BSDs and a
number of commercial products based on them), randomizes the source port
by default for all NATed TCP and UDP connections using an rc4-based
pseudo-random number generator, and has done so since 2000.

We've been suggesting for quite some time that everyone randomize source
ports (among other network values) wherever possible.  Will the holdout
vendors finally start doing this, or will they wait for yet another
vulnerability that can be mitigated by it?

-Ryan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ