Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

To: debian-security@lists.debian.org
Subject: Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
From: Rick Moen <rick@linuxmafia.com>
Date: Wed, 13 Aug 2008 03:02:12 -0700
Message-id: <[🔎] 20080813100212.GE10437@linuxmafia.com>
In-reply-to: <[🔎] 2056.80.13.1.6.1218620468.squirrel@ssl.ombos.raceme.org>
References: <87myks4886.fsf@mid.deneb.enyo.de> <487436AF.70707@glimmer.demon.co.uk> <[🔎] 20080810221923.8ff52718.henrich@debian.or.jp> <[🔎] 87d4kgiqau.fsf@mid.deneb.enyo.de> <[🔎] 20080811094339.a522a1c3.henrich@debian.or.jp> <[🔎] slrnga0tft.3b1.jmm@inutil.org> <[🔎] 2056.80.13.1.6.1218620468.squirrel@ssl.ombos.raceme.org>

Quoting Vincent Deffontaines (vincent@gryzor.com):

> And the Linux kernel (Netfilter) implements NAT source port randomization
> since 2.6.21, which can make it a conveninent way to protect your natted
> hosts without any patching.
> 
> See http://software.inl.fr/trac/wiki/contribs/RandomSkype for details.

I believe this works on UDP traffic only starting with 2.6.24.  See:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24

Reply to:

Follow-Ups:
- Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: "Vincent Deffontaines" <vincent@gryzor.com>

References:
- Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: Hideki Yamane <henrich@debian.or.jp>
- Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: Hideki Yamane <henrich@debian.or.jp>
- Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: "Vincent Deffontaines" <vincent@gryzor.com>

Prev by Date: Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Next by Date: Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Previous by thread: Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Next by thread: Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Index(es):
- Date
- Thread