[163565] in North American Network Operators' Group
Re: chargen is the new DDoS tool?
daemon@ATHENA.MIT.EDU (Ricky Beam)
Tue Jun 11 22:02:12 2013
To: "Majdi S. Abbas" <msa@latt.net>
Date: Tue, 11 Jun 2013 21:37:04 -0400
From: "Ricky Beam" <jfbeam@gmail.com>
In-Reply-To: <20130611235717.GA3395@puck.nether.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, 11 Jun 2013 19:57:17 -0400, Majdi S. Abbas <msa@latt.net> wrote:
> You've never worked for one, have you?
Indeed I have. Which is why I haven't for a great many years. Academics
tend to be, well, academic. That is, rather far out of touch with the
realities of running / securing a network. I've used the work
"incompotent" in previous conversations, but that's mostly a factor of
overwork in an environment where few people are ever fired for such.
> Guess what, they have /16s, they use them, and they like
> the ability to print from one side of campus to the other. Are you
> suggesting gigantic NATs with 120,000 students and faculty behind them?
Guess what, there are companies that have /8's, and they manage to keep
their network(s) reasonably secured. I'm not talking about uber-large
NAT; I'm talking about proper boundry security. If you cannot figure out
how to keep the internet away from your printers, you should look into
other lines of employment. Limiting access of the residential network
into the departmental networks, is one of the first things in the design
of a res-net. Otherwise, there's 25k potential script kiddies (or infected
home computers now on your network) waiting to attack everything on
campus. But we're headed into the weeds here...
> I have a hard time blaming a school for this. I have an easy
> time wondering why printer manufacturers are including chargen support
> in firmware.
I have the same bewilderment about people allowing such unsolicited
traffic into their network(s) in the first place. Even with IPv6 (where
there's no NAT forcing the issue), I run a default deny policy... if
nothing asked for it, it doesn't get in.
Also, why the hell aren't providers not doing anything to limit
spoofing?!? I'll staring right at you AT&T (former Bellsouth.)
--Ricky
