nanog mailing list archives
Re: Thank you, Comcast.
From: Mike Hammett <nanog () ics-il net>
Date: Fri, 26 Feb 2016 07:58:38 -0600 (CST)
I'm sure someone smarter than I will chime in here, but I'd say far too much effort\resources for too little tangible results. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Dovid Bender" <dovid () telecurve com> To: "Mike Hammett" <nanog () ics-il net>, "NANOG" <nanog-bounces () nanog org> Cc: "NANOG list" <nanog () nanog org> Sent: Friday, February 26, 2016 7:32:09 AM Subject: Re: Thank you, Comcast. I had a client with a few boxes that had dns wide open. Couldn't you use snort to match against those specific requests and just drop those packets? Regards, Dovid -----Original Message----- From: Mike Hammett <nanog () ics-il net> Sender: "NANOG" <nanog-bounces () nanog org>Date: Fri, 26 Feb 2016 07:27:50 Cc: NANOG list<nanog () nanog org> Subject: Re: Thank you, Comcast. "you will also block legitimate return traffic if the customers run their own DNS servers or use opendns / google dns / etc." I'm fine with that. Residential customers shouldn't be running DNS servers anyway and as far as the outside resolvers to go, ehhhh... I see the case for OpenDNS given that you can use it to filter (though that's easily bypassed), but not really for any others. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Nick Hilliard" <nick () foobar org> To: "Mikael Abrahamsson" <swmike () swm pp se> Cc: "NANOG list" <nanog () nanog org> Sent: Friday, February 26, 2016 7:17:30 AM Subject: Re: Thank you, Comcast. Mikael Abrahamsson wrote:
Why isn't UDP/53 blocked towards customers? I know historically there were resolvers that used UDP/53 as source port for queries, but is this the case nowadays? I know providers that have blocked UDP/53 towards customers as a countermeasure to the amplification attacks. As far as I heard, there were no customer complaints.
Traffic from dns-spoofing attacks generally has src port = 53 and dst port = random. If you block packets with udp src port=53 towards customers, you will also block legitimate return traffic if the customers run their own DNS servers or use opendns / google dns / etc. Nick
Current thread:
- Re: Thank you, Comcast., (continued)
- Re: Thank you, Comcast. Paras Jha (Feb 25)
- Re: Thank you, Comcast. Roland Dobbins (Feb 25)
- Re: Thank you, Comcast. Jared Mauch (Feb 25)
- Re: Thank you, Comcast. Mikael Abrahamsson (Feb 25)
- Re: Thank you, Comcast. Mark Andrews (Feb 25)
- Re: Thank you, Comcast. Mikeal Clark (Feb 25)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- Re: Thank you, Comcast. Nick Hilliard (Feb 26)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- Re: Thank you, Comcast. Dovid Bender (Feb 26)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- Re: Thank you, Comcast. Livingood, Jason (Feb 26)
- Re: Thank you, Comcast. Brielle Bruns (Feb 26)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- Re: Thank you, Comcast. Roland Dobbins (Feb 26)
- Re: Thank you, Comcast. Brielle Bruns (Feb 26)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- Re: Thank you, Comcast. Brielle Bruns (Feb 26)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- Re: Thank you, Comcast. Brielle Bruns (Feb 26)
- Re: Thank you, Comcast. Paras Jha (Feb 25)
- Re: Thank you, Comcast. David Bass (Feb 26)