[171444] in North American Network Operators' Group
Re: We hit half-million: The Cidr Report
daemon@ATHENA.MIT.EDU (Jeff Kell)
Wed Apr 30 00:02:35 2014
X-Original-To: nanog@nanog.org
Date: Wed, 30 Apr 2014 00:00:19 -0400
From: Jeff Kell <jeff-kell@utc.edu>
To: "TheIpv6guy ." <cb.list6@gmail.com>
In-Reply-To: <CAD6AjGSzAuMhc3Gn2PUdunU9Uj3iuPma5fRSuuj-XAgPFK4X5Q@mail.gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 4/29/2014 11:37 PM, TheIpv6guy . wrote:
> On Tue, Apr 29, 2014 at 7:54 PM, Jeff Kell <jeff-kell@utc.edu> wrote:
>> On 4/29/2014 2:06 PM, Owen DeLong wrote:
>>> If everyone who had 30+ inaggregable IPv4 prefixes replaced them with=
1 (or even 3) IPv6 prefixes=E2=80=A6
>>> As a bonus, we could get rid of NAT, too. ;-)
>>> /me ducks (but you know I had to say it)
>> Yeah, just when we thought Slammer / Blaster / Nachi / Welchia / etc /
>> etc had been eliminated by process of "can't get there from here"... =
we
>> expose millions more endpoints...
>>
>> /me ducks too (but you know *I* had to say it)
>>
> No ducking here. You forgot Nimda. Do you have an example from the
> last 10 years of this class ?
Oh? Anything hitting portmapper (tcp/135), or CIFS (tcp/445), or RDP
(tdp/3389 -- CVE-2012-0002 ring any bells?).=20
The vulnerabilities never stop. We just stop paying attention because
most of us have blocked 135-139 and 445 and 3389 at the border long ago.
Now granted that 80/443 (server-side) are more dangerous these days :)=20
But that doesn't eliminate the original risks.=20
These are ports that were originally open by default... and if you
"don't" have a perimeter policy, you're "wrong" (policy, compliance,
regulation, etc).
Not to mention that PCI compliance requires you are RFC1918 (non-routed)
at your endpoints, but I digress...
Jeff
