[77972] in North American Network Operators' Group
Re: Vonage complains about VoIP-blocking
daemon@ATHENA.MIT.EDU (Daniel Golding)
Tue Feb 15 16:51:37 2005
Date: Tue, 15 Feb 2005 16:49:28 -0500
From: Daniel Golding <dgolding@burtongroup.com>
To: Rob Thomas <robt@cymru.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.62.0502151521180.28688@qentba.nf23028.arg>
Errors-To: owner-nanog-outgoing@merit.edu
I've gotten a couple emails on this. To summarize:
1) some malware uses tftp. However much malware now uses other ports, such
as 80
2) There are numerous buffer overflow bugs with tftp. This would seem to be
better resolved with rACLs or ACLs towards loopback/interface blocks. (and,
of course, turning tftp off and using scp or sftp)
It would be interesting to find out what percentage of Internet accessible
routers are remotely upgradable via TFTP presently. Sadly, this would be
non-zero...
- Dan
On 2/15/05 4:28 PM, "Rob Thomas" <robt@cymru.com> wrote:
> Hi, Dan.
>
> ] Why block TFTP at your borders? To keep people from loading new versions of
> ] IOS on your routers? ;)
>
> Funny you should mention that. :) We have seen miscreants do exactly
> that. They will upgrade or downgrade routers to support a feature set
> of their choosing.
>
> A lot of malware uses TFTP to update itself as well.
>
> Please note that I am NOT advocating the blocking of TFTP.
>
> Thanks,
> Rob.
