Mail Archives: cygwin/2003/03/04/18:32:59
John,
I get it.
Well, on my system, running Norton Personal Firewall, each distinct
programm that attempts to access the Internet or to which a connection
is attempted (and which is not known to be and has not been granted
access rights) produces an alert. I take it this much is like ZoneAlarm.
In NPF one can continue to individually grant and deny these attempts
or choose to grant or deny them "forever" (which just causes a new rule
to be added to NPF's database--those rules can be edited.) NPF also has
a "zones" notion that allows different protection regimes to be applied
to different zones. Zones are defined by IP addresses or ranges
thereof. I never reflexively hit "grant" on those alerts. Most of the
time if I'm going to grant (not deny), I'll make it a rule and not have
to bother again.
NPF seems to know in detail (beyond just file name) the applications to
which its rules apply, since when I re-install something (say wget)
using the updated application triggers an alert from NPF again.
Perhaps the free version of ZoneAlarm does not provide as flexible or
readily accessible a facility for defining new access control rules?
All I really recall about it was that it (I was actually using one of
the "premium" non-free($) versions) caused my system to lock up when I
used Internet Connection Sharing. That was a couple of years ago. I
dumped it after a couple of those incidents.
Randall Schulz
At 08:38 2003-03-04, John P. Rouillard wrote:
> >On Mon, 2003-03-03 at 23:59, Randall R Schulz wrote:
> >> Geoffrey,
> >>=20
> >> Exactly what sneaky data can get sent in a DNS request?
> >> [...]
> >
> >Actually, plenty. Historically, Bind has been easily hacked. Although
> >it's been a while since a good vulnerablity was found in Bind, that
> >doesn't mean there's not an unknown hole in it which could be exploited.
> >
> >However, in order to exploit such a hole, the attacking system has to
> >be, in one way or another, "owned". Anybody with the presence of mind
> >to be running ZoneAlarm (or something similar) would certianly know if
> >there system(s) had been compromised in such a fashion.
>
>Why is everybody assuming that a random host on the internet is running
>a dns server on port 53? Consider this senario:
>
> I put my machine on the internet. I then put a udp listener at port
> 53. I then distribute software that knows how to create a udp packet
> to port 53 on my host. I can send anything I want to to that port,
> files, passwords, registry entries... Just because its going to a
> DNS port does not mean that its DNS data. It just means that its
> data for the service at that particular IP Address/Port number.
>
>Now if you filter to certain hosts that you KNOW are running dns on
>port 53, then that is different. However that means you must keep
>updating the filter lists since I know my ISP changes my DNS servers
>almost every time I dial up. (My guess is they have a couple of DNS
>server per class C subnet/POP, but that's just a guess).
>
>Running ZoneAlarm gives you a hint that something bad may be going on
>when a program that shouldn't be making DNS queries starts making
>them. Or alternatively starts making queries tothe DNS port
>on joe blow's computer rather than a local network computer.
>
> -- rouilj
>John Rouillard
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -