Am 25.12.2025 um 01:08:05 Uhr schrieb Andrew via NANOG:
- Using any form of NAT / packet translation with IPv6 (not including nat64 / other v4 transition related)
Don't do that, there is enough address space for the customers.
- Dropping non-TCP/UDP/ICMP protocols (outside of CGNat) - such as ‘raw’ IPSec ESP / AH without UDP encapsulation, or SCTP
Don't do that, it's the customers data and not yours, so do not interrupt other people's connections.
- TCP MSS - MSS Clamping all connections
- TCP MSS - MSS Clamping, but you instead (accidentally?) set MSS to your desired value even if it was lower before
This is crap. ICMP exists for this and also works for UDP.
- Other TCP options - Dropping syn packets with invalid/unknown options
Not your task, this is being done at the customer's machines.
- TCP connection interception - Network operator terminates TCP session from user and then establishes a new one with the original destination. All TCP options, sequence numbers, .. are lost in this translation
- Related to above - Network accepts TCP connection which it will intercept (sends SYN/ACK to user) before it confirms that the destination is reachable
Are you a crappy ISP that really needs to do this?
- Dropping/resetting port 80 sessions that don't ‘look like’ HTTP
- Dropping/resetting port 443 sessions that don't ‘look like’ TLS
Can you please stop interfering connections? You are an ISP and people pay your for transferring the data they requested.
- Redirecting port 53 DNS queries to ISP’s own servers, regardless of destination IP
Do you want to attack it? Only nasty ISPs are doing this.
- HTTP header injection into port 80 HTTP traffic (i.e. for user tracking)
- HTTP content injection into port 80 HTTP traffic (i.e. replacing ads, adding dialogs, …) (and not blanket redirection for non-payment)
Ask in darknet crime forums for that. There is the right place for you if you want to do that. -- Gruß Marco Send unsolicited bulk mail to 1766621285muell@cartoonies.org