[129317] in North American Network Operators' Group
Re: ISP port blocking practice
daemon@ATHENA.MIT.EDU (Zhiyun Qian)
Thu Sep 2 19:06:15 2010
From: Zhiyun Qian <zhiyunq@umich.edu>
In-Reply-To: <AANLkTinmwFgxnq41YZA-Czdzt_Au8NTiaYTOR4o2rQJw@mail.gmail.com>
Date: Thu, 2 Sep 2010 18:05:58 -0500
To: William Herrin <bill@herrin.us>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
You are exactly right. We also talked about stateful firewall that can =
protect the GoodNet. For NAT box, depends on the type of NAT, it is =
possible to setup port forwarding on the router (mostly home routers) =
via uPnP without any authentication (I think many home routers are like =
this by default). And since the machine in GoodNet is also compromised, =
it would not be difficult to achieve this.
Regards.
-Zhiyun
On Sep 2, 2010, at 5:45 PM, William Herrin wrote:
> On Thu, Sep 2, 2010 at 5:59 PM, Zhiyun Qian <zhiyunq@umich.edu> wrote:
>> =
http://www.eecs.umich.edu/~zhiyunq/pub/oakland10_triangular-spamming.pdf
>>=20
>> One of the high-level findings is that we developed probing =
techniques
>> to verify that indeed most ISPs are only blocking 1) "outgoing =
traffic
>> of destination port 25" instead of 2) "incoming traffic with source
>> port 25", which means that these ISPs are vulnerable to the
>> assymetric routing attack.
>=20
> If I understand your idea correctly:
>=20
> 1. GoodNet filters TCP destination port 25 packets from his customer
> PwndBox, preventing PwndBox from spamming.
>=20
> 2. BadGuy on BadNet sends a forged TCP SYN packet to SpamVictim
> allegedly from PwndBox on GoodNet.
>=20
> 3. PwndBox receives the response packets from SpamVictim and tunnels
> them to BadGuy allowing BadGuy to complete the spam.
>=20
> 4. GoodNet didn't stop it because PwndBox never sent any packets to =
TCP port 25.
>=20
> 5. Since the IP address used was GoodNet's, GoodNet's reputation is =
damaged..
>=20
> 6. GoodNet could prevent this attack vector by also blocking packets
> with TCP source port 25 sent -to- PwndBox.
>=20
> Is that correct?
>=20
> I observe that if PwndBox is behind a stateful firewall such as a COTS
> NAT box, that also prevents this attack.
>=20
> Regards,
> Bill Herrin
>=20
>=20
>=20
> --=20
> William D. Herrin ................ herrin@dirtside.com bill@herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
>=20
>=20
