Re: Thank you, Comcast.

[Jared Mauch <jared () puck nether net>]

SSDP, DNS and other amplification is a big issue for large consumer networks like Comcast.

This is something I’m hoping other vendors take seriously (eg: Netgear) when it comes to their usage of DNSMASQ and 
other tools on-box and iptables configs that promote spoofing by using IP ranges vs constraining rules with the 
ingress/egress interface.

It’s these simple amateur errors that can turn a port 53 redirect into a spoofing instance when it only passes the 
INPUT rule vs -t NAT rule.

Please block SSDP and Chargen on your networks.  Consider rate-limiting DNS & SNMP to 1% or something appropriate to 
avoid issues.

Make sure you permit TCP/53 for DNS queries so if TC=1 lookups work.

- Jared

> On Feb 25, 2016, at 10:52 PM, Paras Jha <paras () protrafsolutions com> wrote:
>
> It's interesting that they'd call about DNS amplification... You don't
> typically see DNS amplified floods coming from home ISPs. I would imagine
> SSDP amplification is a far greater issue for any home ISP.
>
> On Thu, Feb 25, 2016 at 10:46 PM, Mike Hammett <nanog () ics-il net> wrote:
>
> > I know. It seems odd, doesn't it?
> >
> > They're actually suspending people's accounts for DNS amplification. My
> > aunt got a call about it tonight. I had already firewalled that off on her
> > router before they called, but they're doing it. There's more that they
> > could do I'm sure, but they're doing it. Maybe it's flooding their upstream
> > causing other service issues.... but they're doing it.
> >
> > So many others aren't doing much at all.
> >
> >
> >
> >
> > -----
> > Mike Hammett
> > Intelligent Computing Solutions
> > http://www.ics-il.com
> >
> > Midwest-IX
> > http://www.midwest-ix.com