Thank you, Comcast.

Jared Mauch jared at puck.nether.net
Fri Feb 26 14:28:48 UTC 2016


Most of the NTP hosts have been remediated or blocked. 

Using QoS to set a cap of the amount of SNMP and DNS traffic is a fair response IMHO. 

Some carriers eg: 7018 block chargen wholesale across their network. We haven't taken that step but it's also something I'm not opposed to. 

As a community we need to determine if this background radiation and these responses are proper. I think it's a good response since vendors can't do uRPF at line rate and the major purchasers of BCM switches don't ask for it and aren't doing it, so it's not optimized or does not exist. /sigh

Jared Mauch

> On Feb 26, 2016, at 9:18 AM, Maxwell Cole <mcole.mailinglists at gmail.com> wrote:
> 
> I agree,
> 
> At the very least things like SNMP/NTP should be blocked. I mean how many people actually run a legit NTP server out of their home? Dozens? And the people who run SNMP devices with the default/common communities aren’t the ones using it. 
> 
> If the argument is that you need a Business class account to run a mail server then I have no problem extending that to DNS servers also.
> 
> Cheers,
> Max
> 
>> On Feb 26, 2016, at 8:55 AM, Mikael Abrahamsson <swmike at swm.pp.se> wrote:
>> 
>> On Fri, 26 Feb 2016, Nick Hilliard wrote:
>> 
>>> Traffic from dns-spoofing attacks generally has src port = 53 and dst port = random.  If you block packets with udp src port=53 towards customers, you will also block legitimate return traffic if the customers run their own DNS servers or use opendns / google dns / etc.
>> 
>> Sure, it's a very interesting discussion what ports should be blocked or not.
>> 
>> http://www.bitag.org/documents/Port-Blocking.pdf
>> 
>> This mentions on page 3.1, TCP(UDP)/25,135,139 and 445. They've been blocked for a very long time to fix some issues, even though there is legitimate use for these ports.
>> 
>> So if you're blocking these ports, it seems like a small step to block UDP/TCP/53 towards customers as well. I can't come up with an argument that makes sense to block TCP/25 and then not block port UDP/TCP/53 as well. If you're protecting the Internet from your customers misconfiguraiton by blocking port 25 and the MS ports, why not 53 as well?
>> 
>> This is a slippery slope of course, and judgement calls are not easy to make.
>> 
>> -- 
>> Mikael Abrahamsson    email: swmike at swm.pp.se




More information about the NANOG mailing list