Thank you, Comcast.

Mike Hammett nanog at ics-il.net
Fri Feb 26 13:58:38 UTC 2016


I'm sure someone smarter than I will chime in here, but I'd say far too much effort\resources for too little tangible results. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Dovid Bender" <dovid at telecurve.com> 
To: "Mike Hammett" <nanog at ics-il.net>, "NANOG" <nanog-bounces at nanog.org> 
Cc: "NANOG list" <nanog at nanog.org> 
Sent: Friday, February 26, 2016 7:32:09 AM 
Subject: Re: Thank you, Comcast. 

I had a client with a few boxes that had dns wide open. Couldn't you use snort to match against those specific requests and just drop those packets? 


Regards, 

Dovid 

-----Original Message----- 
From: Mike Hammett <nanog at ics-il.net> 
Sender: "NANOG" <nanog-bounces at nanog.org>Date: Fri, 26 Feb 2016 07:27:50 
Cc: NANOG list<nanog at nanog.org> 
Subject: Re: Thank you, Comcast. 

"you will also block legitimate return traffic if the 
customers run their own DNS servers or use opendns / google dns / etc." 

I'm fine with that. Residential customers shouldn't be running DNS servers anyway and as far as the outside resolvers to go, ehhhh... I see the case for OpenDNS given that you can use it to filter (though that's easily bypassed), but not really for any others. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message ----- 

From: "Nick Hilliard" <nick at foobar.org> 
To: "Mikael Abrahamsson" <swmike at swm.pp.se> 
Cc: "NANOG list" <nanog at nanog.org> 
Sent: Friday, February 26, 2016 7:17:30 AM 
Subject: Re: Thank you, Comcast. 

Mikael Abrahamsson wrote: 
> Why isn't UDP/53 blocked towards customers? I know historically there 
> were resolvers that used UDP/53 as source port for queries, but is this 
> the case nowadays? 
> 
> I know providers that have blocked UDP/53 towards customers as a 
> countermeasure to the amplification attacks. As far as I heard, there 
> were no customer complaints. 

Traffic from dns-spoofing attacks generally has src port = 53 and dst 
port = random. If you block packets with udp src port=53 towards 
customers, you will also block legitimate return traffic if the 
customers run their own DNS servers or use opendns / google dns / etc. 

Nick 





More information about the NANOG mailing list