[187769] in North American Network Operators' Group
Re: Thank you, Comcast.
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Feb 25 23:00:58 2016
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CAJayEpEU9aNHBnf+dG0KMypZmp7rQx-Ycz321-zWXi5anGfrUQ@mail.gmail.com>
Date: Thu, 25 Feb 2016 22:59:34 -0500
To: Paras Jha <paras@protrafsolutions.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
SSDP, DNS and other amplification is a big issue for large consumer =
networks like Comcast.
This is something I=E2=80=99m hoping other vendors take seriously (eg: =
Netgear) when it comes to their usage of DNSMASQ and other tools on-box =
and iptables configs that promote spoofing by using IP ranges vs =
constraining rules with the ingress/egress interface.
It=E2=80=99s these simple amateur errors that can turn a port 53 =
redirect into a spoofing instance when it only passes the INPUT rule vs =
-t NAT rule.
Please block SSDP and Chargen on your networks. Consider rate-limiting =
DNS & SNMP to 1% or something appropriate to avoid issues.
Make sure you permit TCP/53 for DNS queries so if TC=3D1 lookups work.
- Jared
> On Feb 25, 2016, at 10:52 PM, Paras Jha <paras@protrafsolutions.com> =
wrote:
>=20
> It's interesting that they'd call about DNS amplification... You don't
> typically see DNS amplified floods coming from home ISPs. I would =
imagine
> SSDP amplification is a far greater issue for any home ISP.
>=20
> On Thu, Feb 25, 2016 at 10:46 PM, Mike Hammett <nanog@ics-il.net> =
wrote:
>=20
>> I know. It seems odd, doesn't it?
>>=20
>> They're actually suspending people's accounts for DNS amplification. =
My
>> aunt got a call about it tonight. I had already firewalled that off =
on her
>> router before they called, but they're doing it. There's more that =
they
>> could do I'm sure, but they're doing it. Maybe it's flooding their =
upstream
>> causing other service issues.... but they're doing it.
>>=20
>> So many others aren't doing much at all.
>>=20
>>=20
>>=20
>>=20
>> -----
>> Mike Hammett
>> Intelligent Computing Solutions
>> http://www.ics-il.com
>>=20
>> Midwest-IX
>> http://www.midwest-ix.com
>>=20
