ubuntu-devel Digest, Vol 23, Issue 16
Micah J. Cowan
micah at cowan.name
Wed Jul 5 21:52:00 BST 2006
On Tue, Jul 04, 2006 at 05:10:12PM -0700, Dan Kegel wrote:
> On 7/4/06, Scott James Remnant <scott at ubuntu.com> wrote:
> > > strace seems to show that by default, the DNS port is only open
> > > until the response is received. So it looks like there's only one
> > > open UDP port, not two.
> >
> > No, it's still an open port. UDP lacks any form of checking that things
> > received are the expected responses, and while the port is open for the
> > response anything can be sent to it (this is safe-guarded with TCP,
> > which is why TCP connections aren't considered "open ports").
>
> Good point. (The window during which the port is open is pretty short,
> which lessens the chance of an attack succeeding, but doesn't make it zero.)
I think such things are a necessary evil... Perhaps "no open ports"
should be ammended to mean "...except for specifically-limited uses for
a small window of time"?
A potentially bigger exception is the fact that, if a user opens a
non-passive FTP connection and fetches a file, they will implicitly open
a TCP port (which isn't explicitly safe-guarded, I believe, since it's
for an "incoming" connection).
It might be worthwhile to be as conscious as possible about such things,
and manually verify that all code that we allow to do this explicitly
checks that the sender IP address is as expected... I doubt we could
realistically do a 100% job of that, though (trying to track every
program that can do FTP would be a feat).
--
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer...
http://micah.cowan.name/
More information about the ubuntu-devel
mailing list