SSDP, DNS and other amplification is a big issue for large consumer networks like Comcast. This is something I’m hoping other vendors take seriously (eg: Netgear) when it comes to their usage of DNSMASQ and other tools on-box and iptables configs that promote spoofing by using IP ranges vs constraining rules with the ingress/egress interface. It’s these simple amateur errors that can turn a port 53 redirect into a spoofing instance when it only passes the INPUT rule vs -t NAT rule. Please block SSDP and Chargen on your networks. Consider rate-limiting DNS & SNMP to 1% or something appropriate to avoid issues. Make sure you permit TCP/53 for DNS queries so if TC=1 lookups work. - Jared
On Feb 25, 2016, at 10:52 PM, Paras Jha <paras@protrafsolutions.com> wrote:
It's interesting that they'd call about DNS amplification... You don't typically see DNS amplified floods coming from home ISPs. I would imagine SSDP amplification is a far greater issue for any home ISP.
On Thu, Feb 25, 2016 at 10:46 PM, Mike Hammett <nanog@ics-il.net> wrote:
I know. It seems odd, doesn't it?
They're actually suspending people's accounts for DNS amplification. My aunt got a call about it tonight. I had already firewalled that off on her router before they called, but they're doing it. There's more that they could do I'm sure, but they're doing it. Maybe it's flooding their upstream causing other service issues.... but they're doing it.
So many others aren't doing much at all.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com