Gi Firewall for mobile subscribers

Wed Apr 10 15:22:14 UTC 2019

I don't v6 stats yet but it would be interesting to see. I did a tcpdump on
one v6 IP and saw hundreds of requests to port 25.

On Wed, Apr 10, 2019 at 10:43 AM Ca By <cb.list6 at gmail.com> wrote:

>
>
> On Wed, Apr 10, 2019 at 7:06 AM Dovid Bender <dovid at telecurve.com> wrote:
>
>> I think the traffic Amos is referring to is random traffic hitting the
>> devices causing them to "wake up". Everyone here knows a simple dump on
>> port 22 will show traffic. We  have a /22 that gets an avg of 1-2 mbit of
>> random traffic (mainly 22 and 3389).
>>
>
> I believe he was talking about ipv6.
>
> Does this backscatter happen in ipv6 given how impractical scanning ipv6
> is ?
>
>
>
>> On Wed, Apr 10, 2019 at 9:49 AM Ca By <cb.list6 at gmail.com> wrote:
>>
>>>
>>>
>>> On Wed, Apr 10, 2019 at 6:23 AM Amos Rosenboim <amos at oasis-tech.net>
>>> wrote:
>>>
>>>> Hello NANOG,
>>>>
>>>>
>>>>
>>>> We are discussing internally and wanted to get more opinions and
>>>> especially more data on what are people actually doing.
>>>>
>>>> We are running an ISP network with about 150K fixed broadband users,
>>>> running dual stack (IPv4 behind CGNAT).
>>>>
>>>> On the ISP network  IPv6 is simply routed, and is firewalled on the CPE.
>>>>
>>>>
>>>>
>>>> This network added mobile services about a year ago, also dual stack
>>>> (we have no control on the mobile devices so we were too concerned to
>>>> choose IPv6 only access).
>>>>
>>>> We have an ongoing discussion about Gi firewall (adding a firewall
>>>> between the subscribers and the internet, allowing only subscriber
>>>> initiated connections), for the IPv6 traffic.
>>>>
>>>>
>>>>
>>>> The firewall is doing very little security, the ruleset is very basic,
>>>> allowing anything from subscribers to the internet and blocking all traffic
>>>> from the internet towards the subscribers.
>>>>
>>>> We have a few rules to limit the number of connections per subscriber
>>>> (to a relatively high number) and that is it.
>>>>
>>>>
>>>>
>>>> One of the arguments in favor of having the firewall is that
>>>> unsolicited traffic from the internet can “wake” idle mobile devices, and
>>>> create signaling (paging) storms as well as drain user batteries.
>>>>
>>>>
>>>>
>>>> On the other hand, allowing only subscriber initiated traffic is mostly
>>>> achievable using ACLs on the mobile core facing routers, or is it with the
>>>> growing percentage of UDP traffic ?
>>>>
>>>>
>>>>
>>>> BTW – I don’t mention IPv4 traffic on the mobile network as it’s all
>>>> behind CGNAT which don’t allow internet initiated connections.
>>>>
>>>>
>>>>
>>>> Anyway, we are very interested to know hear more opinions,  and
>>>> especially to hear what are other mobile operators do.
>>>>
>>>>
>>>>
>>>> Regards
>>>>
>>>>
>>>>
>>>> Amos
>>>>
>>>>
>>>>
>>>
>>> Step outside the theoretical and model your real threats. Attack
>>> yourself of pay someone to do a real pentest.
>>>
>>> 1. Does a hacker know the ipv6 of your subs? How frequently does the sub
>>> get a new 128 bit address?
>>>
>>> 2.  What does the hacker get from a paging storm?  Economic benefit ?
>>> Lolz? Has a malicious paging storm ever happened in the real world?  What
>>> level of effort would be required to trigger that?  Is that level of effort
>>> more or less than it would take to tip over a stateful firewall (session
>>> exhaustion, pps attack, alg bugs, vulns in the fw
>>>
>>> https://www.zdnet.com/article/cisco-removed-its-seventh-backdoor-account-this-year-and-thats-a-good-thing/
>>> )
>>>
>>> 3. Assuming the hacker gleans the address of the sub, what ports are
>>> open in the real world? What can a hacker connect to and accomplish?
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190410/bc017c0d/attachment.html>