nanog mailing list archives
Re: Thank you, Comcast.
From: Mikael Abrahamsson <swmike () swm pp se>
Date: Fri, 26 Feb 2016 14:55:26 +0100 (CET)
On Fri, 26 Feb 2016, Nick Hilliard wrote:
Traffic from dns-spoofing attacks generally has src port = 53 and dst port = random. If you block packets with udp src port=53 towards customers, you will also block legitimate return traffic if the customers run their own DNS servers or use opendns / google dns / etc.
Sure, it's a very interesting discussion what ports should be blocked or not.
http://www.bitag.org/documents/Port-Blocking.pdfThis mentions on page 3.1, TCP(UDP)/25,135,139 and 445. They've been blocked for a very long time to fix some issues, even though there is legitimate use for these ports.
So if you're blocking these ports, it seems like a small step to block UDP/TCP/53 towards customers as well. I can't come up with an argument that makes sense to block TCP/25 and then not block port UDP/TCP/53 as well. If you're protecting the Internet from your customers misconfiguraiton by blocking port 25 and the MS ports, why not 53 as well?
This is a slippery slope of course, and judgement calls are not easy to make.
-- Mikael Abrahamsson email: swmike () swm pp se
Current thread:
- Re: Thank you, Comcast., (continued)
- Re: Thank you, Comcast. Octavio Alvarez (Feb 26)
- Re: Thank you, Comcast. Livingood, Jason (Feb 26)
- Consumer Equipment Sucks (Re: Thank you, Comcast.) Jared Mauch (Feb 26)
- Re: Thank you, Comcast. Chris Adams (Feb 26)
- Re: Thank you, Comcast. Dovid Bender (Feb 26)
- Re: Thank you, Comcast. Rich Kulawiec (Feb 26)
- Re: Thank you, Comcast. Brielle Bruns (Feb 26)
- Re: Thank you, Comcast. Anthony Junk (Feb 26)
- Re: Thank you, Comcast. Roland Dobbins (Feb 26)
- Re: Thank you, Comcast. Roland Dobbins (Feb 26)
- Re: Thank you, Comcast. Mikael Abrahamsson (Feb 26)
- Re: Thank you, Comcast. Maxwell Cole (Feb 26)
- Re: Thank you, Comcast. Jared Mauch (Feb 26)
- Re: Thank you, Comcast. Damian Menscher via NANOG (Feb 26)
- Re: Thank you, Comcast. Roland Dobbins (Feb 26)
- Re: Thank you, Comcast. Dovid Bender (Feb 26)
- Re: Thank you, Comcast. Jared Mauch (Feb 26)
- Re: Thank you, Comcast. Damian Menscher via NANOG (Feb 26)
- Re: Thank you, Comcast. Dovid Bender (Feb 26)
- Re[2]: Thank you, Comcast. Adam (Feb 26)
- RE: Thank you, Comcast. Keith Medcalf (Feb 26)