Thank you, Comcast.

[jared at puck.nether.net (Jared Mauch)]

SSDP, DNS and other amplification is a big issue for large consumer networks like Comcast.

This is something I?m hoping other vendors take seriously (eg: Netgear) when it comes to their usage of DNSMASQ and other tools on-box and iptables configs that promote spoofing by using IP ranges vs constraining rules with the ingress/egress interface.

It?s these simple amateur errors that can turn a port 53 redirect into a spoofing instance when it only passes the INPUT rule vs -t NAT rule.

Please block SSDP and Chargen on your networks.  Consider rate-limiting DNS & SNMP to 1% or something appropriate to avoid issues.

Make sure you permit TCP/53 for DNS queries so if TC=1 lookups work.

- Jared

> On Feb 25, 2016, at 10:52 PM, Paras Jha <paras at protrafsolutions.com> wrote:
> 
> It's interesting that they'd call about DNS amplification... You don't
> typically see DNS amplified floods coming from home ISPs. I would imagine
> SSDP amplification is a far greater issue for any home ISP.
> 
> On Thu, Feb 25, 2016 at 10:46 PM, Mike Hammett <nanog at ics-il.net> wrote:
> 
>> I know. It seems odd, doesn't it?
>> 
>> They're actually suspending people's accounts for DNS amplification. My
>> aunt got a call about it tonight. I had already firewalled that off on her
>> router before they called, but they're doing it. There's more that they
>> could do I'm sure, but they're doing it. Maybe it's flooding their upstream
>> causing other service issues.... but they're doing it.
>> 
>> So many others aren't doing much at all.
>> 
>> 
>> 
>> 
>> -----
>> Mike Hammett
>> Intelligent Computing Solutions
>> http://www.ics-il.com
>> 
>> Midwest-IX
>> http://www.midwest-ix.com
>>