We hit half-million: The Cidr Report

TheIpv6guy . cb.list6 at gmail.com
Wed Apr 30 03:37:32 UTC 2014


On Tue, Apr 29, 2014 at 7:54 PM, Jeff Kell <jeff-kell at utc.edu> wrote:
> On 4/29/2014 2:06 PM, Owen DeLong wrote:
>> If everyone who had 30+ inaggregable IPv4 prefixes replaced them with 1 (or even 3) IPv6 prefixes…
>>
>> As a bonus, we could get rid of NAT, too. ;-)
>>
>> /me ducks (but you know I had to say it)
>
> Yeah, just when we thought Slammer / Blaster / Nachi / Welchia / etc /
> etc  had been eliminated by process of "can't get there from here"... we
> expose millions more endpoints...
>
> /me ducks too (but you know *I* had to say it)
>

No ducking here.  You forgot Nimda.  Do you have an example from the
last 10 years of this class ?

Windows XP SP3  with a default host firewall on really did solve most
of this, not NAT.  Not stateful firewalls in networks.

In fact, jogging my memory, i clearly remember Blaster taking out
enterprise networks with network firewalls and stateful inspection...
because people manually move their laptops between security zones.
Right? They got infected on one LAN and then attached and spread the
worm to other LANs.

 I also remember the folks saying we just spent $100k on a pair of
super Netscreen firewalls, why is our network crashing?  Right?  And
then the infection scanning from hacked hosts... of course, overloaded
the firewall, and that crashed the entire campus... because the
firewall was a single point of failure sitting on the internet
boarder... and it has the 0-day flaw of too many sessions = crash.
Most firewalls have this 0-day, it's a feature.

This really happened to me in 2003, where a network based attack had a
broad impact on hosts.  But, never again after Win XP SP3.  Now, i
just have DDoS from purposefully publicly (poorly) run NTP and DNS
servers. And, hacks from users clicking on links they know they should
not click on. Oh, and anything made with Java or Adobe or IE.  Those
things are impossible to run securely, so secure systems don't run
them.

And, every now and then a server gets cracked, right through the
stateful firewall... because there was a rule allowing ANY to TCP 80.

CB



More information about the NANOG mailing list