[187781] in North American Network Operators' Group
Re: Thank you, Comcast.
daemon@ATHENA.MIT.EDU (Mikael Abrahamsson)
Fri Feb 26 08:56:53 2016
X-Original-To: nanog@nanog.org
Date: Fri, 26 Feb 2016 14:55:26 +0100 (CET)
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Nick Hilliard <nick@foobar.org>
In-Reply-To: <56D0506A.3030902@foobar.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Fri, 26 Feb 2016, Nick Hilliard wrote:
> Traffic from dns-spoofing attacks generally has src port = 53 and dst
> port = random. If you block packets with udp src port=53 towards
> customers, you will also block legitimate return traffic if the
> customers run their own DNS servers or use opendns / google dns / etc.
Sure, it's a very interesting discussion what ports should be blocked or
not.
http://www.bitag.org/documents/Port-Blocking.pdf
This mentions on page 3.1, TCP(UDP)/25,135,139 and 445. They've been
blocked for a very long time to fix some issues, even though there is
legitimate use for these ports.
So if you're blocking these ports, it seems like a small step to block
UDP/TCP/53 towards customers as well. I can't come up with an argument
that makes sense to block TCP/25 and then not block port UDP/TCP/53 as
well. If you're protecting the Internet from your customers
misconfiguraiton by blocking port 25 and the MS ports, why not 53 as well?
This is a slippery slope of course, and judgement calls are not easy to
make.
--
Mikael Abrahamsson email: swmike@swm.pp.se
