[187786] in North American Network Operators' Group
Re: Thank you, Comcast.
daemon@ATHENA.MIT.EDU (Jared Mauch)
Fri Feb 26 09:36:25 2016
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <5A798886-DA0A-4921-B5A6-9FF22A603865@gmail.com>
Date: Fri, 26 Feb 2016 09:28:48 -0500
To: Maxwell Cole <mcole.mailinglists@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Most of the NTP hosts have been remediated or blocked.=20
Using QoS to set a cap of the amount of SNMP and DNS traffic is a fair respo=
nse IMHO.=20
Some carriers eg: 7018 block chargen wholesale across their network. We have=
n't taken that step but it's also something I'm not opposed to.=20
As a community we need to determine if this background radiation and these r=
esponses are proper. I think it's a good response since vendors can't do uRP=
F at line rate and the major purchasers of BCM switches don't ask for it and=
aren't doing it, so it's not optimized or does not exist. /sigh
Jared Mauch
> On Feb 26, 2016, at 9:18 AM, Maxwell Cole <mcole.mailinglists@gmail.com> w=
rote:
>=20
> I agree,
>=20
> At the very least things like SNMP/NTP should be blocked. I mean how many p=
eople actually run a legit NTP server out of their home? Dozens? And the peo=
ple who run SNMP devices with the default/common communities aren=E2=80=99t t=
he ones using it.=20
>=20
> If the argument is that you need a Business class account to run a mail se=
rver then I have no problem extending that to DNS servers also.
>=20
> Cheers,
> Max
>=20
>> On Feb 26, 2016, at 8:55 AM, Mikael Abrahamsson <swmike@swm.pp.se> wrote:=
>>=20
>> On Fri, 26 Feb 2016, Nick Hilliard wrote:
>>=20
>>> Traffic from dns-spoofing attacks generally has src port =3D 53 and dst p=
ort =3D random. If you block packets with udp src port=3D53 towards custome=
rs, you will also block legitimate return traffic if the customers run their=
own DNS servers or use opendns / google dns / etc.
>>=20
>> Sure, it's a very interesting discussion what ports should be blocked or n=
ot.
>>=20
>> http://www.bitag.org/documents/Port-Blocking.pdf
>>=20
>> This mentions on page 3.1, TCP(UDP)/25,135,139 and 445. They've been bloc=
ked for a very long time to fix some issues, even though there is legitimate=
use for these ports.
>>=20
>> So if you're blocking these ports, it seems like a small step to block UD=
P/TCP/53 towards customers as well. I can't come up with an argument that ma=
kes sense to block TCP/25 and then not block port UDP/TCP/53 as well. If you=
're protecting the Internet from your customers misconfiguraiton by blocking=
port 25 and the MS ports, why not 53 as well?
>>=20
>> This is a slippery slope of course, and judgement calls are not easy to m=
ake.
>>=20
>> --=20
>> Mikael Abrahamsson email: swmike@swm.pp.se
