[187782] in North American Network Operators' Group
Re: Thank you, Comcast.
daemon@ATHENA.MIT.EDU (Mike Hammett)
Fri Feb 26 09:00:16 2016
X-Original-To: nanog@nanog.org
Date: Fri, 26 Feb 2016 07:58:38 -0600 (CST)
From: Mike Hammett <nanog@ics-il.net>
To: dovid@telecurve.com
In-Reply-To: <1204131924-1456493530-cardhu_decombobulator_blackberry.rim.net-849286781-@b11.c1.bise6.blackberry>
Cc: NANOG list <nanog@nanog.org>, NANOG <nanog-bounces@nanog.org>
Errors-To: nanog-bounces@nanog.org
I'm sure someone smarter than I will chime in here, but I'd say far too much effort\resources for too little tangible results.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
----- Original Message -----
From: "Dovid Bender" <dovid@telecurve.com>
To: "Mike Hammett" <nanog@ics-il.net>, "NANOG" <nanog-bounces@nanog.org>
Cc: "NANOG list" <nanog@nanog.org>
Sent: Friday, February 26, 2016 7:32:09 AM
Subject: Re: Thank you, Comcast.
I had a client with a few boxes that had dns wide open. Couldn't you use snort to match against those specific requests and just drop those packets?
Regards,
Dovid
-----Original Message-----
From: Mike Hammett <nanog@ics-il.net>
Sender: "NANOG" <nanog-bounces@nanog.org>Date: Fri, 26 Feb 2016 07:27:50
Cc: NANOG list<nanog@nanog.org>
Subject: Re: Thank you, Comcast.
"you will also block legitimate return traffic if the
customers run their own DNS servers or use opendns / google dns / etc."
I'm fine with that. Residential customers shouldn't be running DNS servers anyway and as far as the outside resolvers to go, ehhhh... I see the case for OpenDNS given that you can use it to filter (though that's easily bypassed), but not really for any others.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
----- Original Message -----
From: "Nick Hilliard" <nick@foobar.org>
To: "Mikael Abrahamsson" <swmike@swm.pp.se>
Cc: "NANOG list" <nanog@nanog.org>
Sent: Friday, February 26, 2016 7:17:30 AM
Subject: Re: Thank you, Comcast.
Mikael Abrahamsson wrote:
> Why isn't UDP/53 blocked towards customers? I know historically there
> were resolvers that used UDP/53 as source port for queries, but is this
> the case nowadays?
>
> I know providers that have blocked UDP/53 towards customers as a
> countermeasure to the amplification attacks. As far as I heard, there
> were no customer complaints.
Traffic from dns-spoofing attacks generally has src port = 53 and dst
port = random. If you block packets with udp src port=53 towards
customers, you will also block legitimate return traffic if the
customers run their own DNS servers or use opendns / google dns / etc.
Nick
