[187783] in North American Network Operators' Group
Re: Thank you, Comcast.
daemon@ATHENA.MIT.EDU (Maxwell Cole)
Fri Feb 26 09:18:54 2016
X-Original-To: nanog@nanog.org
From: Maxwell Cole <mcole.mailinglists@gmail.com>
In-Reply-To: <alpine.DEB.2.02.1602261450230.11524@uplift.swm.pp.se>
Date: Fri, 26 Feb 2016 09:18:50 -0500
To: Mikael Abrahamsson <swmike@swm.pp.se>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I agree,
At the very least things like SNMP/NTP should be blocked. I mean how =
many people actually run a legit NTP server out of their home? Dozens? =
And the people who run SNMP devices with the default/common communities =
aren=E2=80=99t the ones using it.=20
If the argument is that you need a Business class account to run a mail =
server then I have no problem extending that to DNS servers also.
Cheers,
Max
> On Feb 26, 2016, at 8:55 AM, Mikael Abrahamsson <swmike@swm.pp.se> =
wrote:
>=20
> On Fri, 26 Feb 2016, Nick Hilliard wrote:
>=20
>> Traffic from dns-spoofing attacks generally has src port =3D 53 and =
dst port =3D random. If you block packets with udp src port=3D53 =
towards customers, you will also block legitimate return traffic if the =
customers run their own DNS servers or use opendns / google dns / etc.
>=20
> Sure, it's a very interesting discussion what ports should be blocked =
or not.
>=20
> http://www.bitag.org/documents/Port-Blocking.pdf
>=20
> This mentions on page 3.1, TCP(UDP)/25,135,139 and 445. They've been =
blocked for a very long time to fix some issues, even though there is =
legitimate use for these ports.
>=20
> So if you're blocking these ports, it seems like a small step to block =
UDP/TCP/53 towards customers as well. I can't come up with an argument =
that makes sense to block TCP/25 and then not block port UDP/TCP/53 as =
well. If you're protecting the Internet from your customers =
misconfiguraiton by blocking port 25 and the MS ports, why not 53 as =
well?
>=20
> This is a slippery slope of course, and judgement calls are not easy =
to make.
>=20
> --=20
> Mikael Abrahamsson email: swmike@swm.pp.se
