2

IPtables for a virtual dedicated server.

I would like to block UDP scans and I was wondering whether there's a minimum packet size for a DNS lookup?

Nmap sends 0-byte UDP packets (source : http://nmap.org/bennieston-tutorial/ ), but there're probably tools available that allow you to add a few bytes.

Also, I don't quite understand how nmap's UDP packets can be 0 bytes.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
Kris
  • 1,347
  • 3
  • 15
  • 16
  • As for Nmap. The UDP payload is 0 bytes. The IP packet is not zero length since it has the UDP headers, and the IP headers. – Zoredache Apr 02 '12 at 23:04
  • 1
    Nmap does not send 0-byte UDP packets for DNS probes. For many common UDP ports, it sends valid payloads designed to elicit a response. For a list of the current payloads, see http://nmap.org/svn/nmap-payloads – bonsaiviking Apr 03 '12 at 00:47

2 Answers2

5

Limiting by size is probably not what you want to do. Using Nmap as your example scanner, note that with the --data-length option an attacker can use packets of any length. Also, as I commented below your question, Nmap uses valid payloads for 39 of the most common UDP ports in order to solicit a payload. Not to mention that some protocols allow and even require the server to respond to an empty packet.

Don't despair, though. There is plenty that iptables can do to make life difficult for someone who wants to scan you. UDP scanning is notoriously difficult, since the success condition (an open port) is negative (no response) in most cases. Linux already rate-limits the closed-port response (ICMP port unreachable messages) to one per second, which makes scanning even slower. Here are some ideas:

  • Use the DROP target instead of REJECT will slow down scanning significantly.
  • Add LOG targets for common UDP destination ports that you do not use, then check your logs frequently
  • Use the limit and hashlimit matching modules to set upper bounds on reasonable connection rates. Be careful with these, though, or you'll block legitimate access.
  • Finally, realize that port scanning happens. If an adversary knowing what ports you have open is game-over for you, then spend your time on securing your services, not experimenting with creative iptables rules.
bonsaiviking
  • 4,355
  • 16
  • 26
4

Also, I don't quite understand how nmap's UDP packets can be 0 bytes.

0 bytes of payload. The packet still has the IP and UDP headers.

I was wondering whether there's a minimum packet size for a DNS lookup?

Well, let's take a look at http://www.netfor2.com/dns.htm since that's easier to read than the RFC.

Every octet is a byte, so we've got:

  • Header: 12
  • Question 4 (class and record type bytes) + at least 1 (the domain being queried), so 5+

Thus, any packet coming into the server should have at least 17 bytes of payload + IP, UDP, and link protocol headers.

Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85