nanog mailing list archives

Re: Thank you, Comcast.

From: Jared Mauch <jared () puck nether net>
Date: Fri, 26 Feb 2016 09:28:48 -0500

Most of the NTP hosts have been remediated or blocked. 

Using QoS to set a cap of the amount of SNMP and DNS traffic is a fair response IMHO. 

Some carriers eg: 7018 block chargen wholesale across their network. We haven't taken that step but it's also something 
I'm not opposed to. 

As a community we need to determine if this background radiation and these responses are proper. I think it's a good 
response since vendors can't do uRPF at line rate and the major purchasers of BCM switches don't ask for it and aren't 
doing it, so it's not optimized or does not exist. /sigh

Jared Mauch

On Feb 26, 2016, at 9:18 AM, Maxwell Cole <mcole.mailinglists () gmail com> wrote:

I agree,

At the very least things like SNMP/NTP should be blocked. I mean how many people actually run a legit NTP server out 
of their home? Dozens? And the people who run SNMP devices with the default/common communities aren’t the ones using 
it. 

If the argument is that you need a Business class account to run a mail server then I have no problem extending that 
to DNS servers also.

Cheers,
Max

On Feb 26, 2016, at 8:55 AM, Mikael Abrahamsson <swmike () swm pp se> wrote:

On Fri, 26 Feb 2016, Nick Hilliard wrote:

Traffic from dns-spoofing attacks generally has src port = 53 and dst port = random.  If you block packets with udp 
src port=53 towards customers, you will also block legitimate return traffic if the customers run their own DNS 
servers or use opendns / google dns / etc.


Sure, it's a very interesting discussion what ports should be blocked or not.

http://www.bitag.org/documents/Port-Blocking.pdf

This mentions on page 3.1, TCP(UDP)/25,135,139 and 445. They've been blocked for a very long time to fix some 
issues, even though there is legitimate use for these ports.

So if you're blocking these ports, it seems like a small step to block UDP/TCP/53 towards customers as well. I can't 
come up with an argument that makes sense to block TCP/25 and then not block port UDP/TCP/53 as well. If you're 
protecting the Internet from your customers misconfiguraiton by blocking port 25 and the MS ports, why not 53 as 
well?

This is a slippery slope of course, and judgement calls are not easy to make.

-- 
Mikael Abrahamsson    email: swmike () swm pp se

Current thread:

Consumer Equipment Sucks (Re: Thank you, Comcast.), (continued)
- - - Consumer Equipment Sucks (Re: Thank you, Comcast.) Jared Mauch (Feb 26)
    - Re: Thank you, Comcast. Chris Adams (Feb 26)
    - Re: Thank you, Comcast. Dovid Bender (Feb 26)
    - Re: Thank you, Comcast. Rich Kulawiec (Feb 26)
    - Re: Thank you, Comcast. Brielle Bruns (Feb 26)
    - Re: Thank you, Comcast. Anthony Junk (Feb 26)
    - Re: Thank you, Comcast. Roland Dobbins (Feb 26)
    - Re: Thank you, Comcast. Roland Dobbins (Feb 26)
    - Re: Thank you, Comcast. Mikael Abrahamsson (Feb 26)
    - Re: Thank you, Comcast. Maxwell Cole (Feb 26)
    - Re: Thank you, Comcast. Jared Mauch (Feb 26)
    - Re: Thank you, Comcast. Damian Menscher via NANOG (Feb 26)
    - Re: Thank you, Comcast. Roland Dobbins (Feb 26)
    - Re: Thank you, Comcast. Dovid Bender (Feb 26)
    - Re: Thank you, Comcast. Jared Mauch (Feb 26)
    - Re: Thank you, Comcast. Damian Menscher via NANOG (Feb 26)
    - Re: Thank you, Comcast. Dovid Bender (Feb 26)
    - Re[2]: Thank you, Comcast. Adam (Feb 26)
    - RE: Thank you, Comcast. Keith Medcalf (Feb 26)
    - Re: Thank you, Comcast. Livingood, Jason (Feb 26)
    - RE: Thank you, Comcast. Keith Medcalf (Feb 26)

(Thread continues...)