[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Thank you, Comcast.

Subject: Thank you, Comcast.
From: nick at foobar.org (Nick Hilliard)
Date: Fri, 26 Feb 2016 13:17:30 +0000
In-reply-to: <[email protected]>
References: <1310695257.13597.1456458114690.JavaMail.mhammett@ThunderFuck> <1341162075.13611.1456458371134.JavaMail.mhammett@ThunderFuck> <CAJayEpEU9aNHBnf+dG0KMypZmp7rQx-Ycz321-zWXi5anGfrUQ@mail.gmail.com> <[email protected]> <[email protected]>

Mikael Abrahamsson wrote:
> Why isn't UDP/53 blocked towards customers? I know historically there
> were resolvers that used UDP/53 as source port for queries, but is this
> the case nowadays?
> 
> I know providers that have blocked UDP/53 towards customers as a
> countermeasure to the amplification attacks. As far as I heard, there
> were no customer complaints.

Traffic from dns-spoofing attacks generally has src port = 53 and dst
port = random.  If you block packets with udp src port=53 towards
customers, you will also block legitimate return traffic if the
customers run their own DNS servers or use opendns / google dns / etc.

Nick

Follow-Ups:
- Thank you, Comcast.
  - From: nanog at ics-il.net (Mike Hammett)
- Thank you, Comcast.
  - From: rdobbins at arbor.net (Roland Dobbins)
- Thank you, Comcast.
  - From: swmike at swm.pp.se (Mikael Abrahamsson)

References:
- Thank you, Comcast.
  - From: nanog at ics-il.net (Mike Hammett)
- Thank you, Comcast.
  - From: paras at protrafsolutions.com (Paras Jha)
- Thank you, Comcast.
  - From: jared at puck.nether.net (Jared Mauch)
- Thank you, Comcast.
  - From: swmike at swm.pp.se (Mikael Abrahamsson)

Prev by Date: Thank you, Comcast.
Next by Date: Thank you, Comcast.
Previous by thread: Thank you, Comcast.
Next by thread: Thank you, Comcast.
Index(es):
- Date
- Thread