Thank you, Comcast.
jared at puck.nether.net
Fri Feb 26 03:59:34 UTC 2016
SSDP, DNS and other amplification is a big issue for large consumer networks like Comcast.
This is something I’m hoping other vendors take seriously (eg: Netgear) when it comes to their usage of DNSMASQ and other tools on-box and iptables configs that promote spoofing by using IP ranges vs constraining rules with the ingress/egress interface.
It’s these simple amateur errors that can turn a port 53 redirect into a spoofing instance when it only passes the INPUT rule vs -t NAT rule.
Please block SSDP and Chargen on your networks. Consider rate-limiting DNS & SNMP to 1% or something appropriate to avoid issues.
Make sure you permit TCP/53 for DNS queries so if TC=1 lookups work.
> On Feb 25, 2016, at 10:52 PM, Paras Jha <paras at protrafsolutions.com> wrote:
> It's interesting that they'd call about DNS amplification... You don't
> typically see DNS amplified floods coming from home ISPs. I would imagine
> SSDP amplification is a far greater issue for any home ISP.
> On Thu, Feb 25, 2016 at 10:46 PM, Mike Hammett <nanog at ics-il.net> wrote:
>> I know. It seems odd, doesn't it?
>> They're actually suspending people's accounts for DNS amplification. My
>> aunt got a call about it tonight. I had already firewalled that off on her
>> router before they called, but they're doing it. There's more that they
>> could do I'm sure, but they're doing it. Maybe it's flooding their upstream
>> causing other service issues.... but they're doing it.
>> So many others aren't doing much at all.
>> Mike Hammett
>> Intelligent Computing Solutions
More information about the NANOG