I've gotten a couple emails on this. To summarize: 1) some malware uses tftp. However much malware now uses other ports, such as 80 2) There are numerous buffer overflow bugs with tftp. This would seem to be better resolved with rACLs or ACLs towards loopback/interface blocks. (and, of course, turning tftp off and using scp or sftp) It would be interesting to find out what percentage of Internet accessible routers are remotely upgradable via TFTP presently. Sadly, this would be non-zero... - Dan On 2/15/05 4:28 PM, "Rob Thomas" <robt@cymru.com> wrote:
Hi, Dan.
] Why block TFTP at your borders? To keep people from loading new versions of ] IOS on your routers? ;)
Funny you should mention that. :) We have seen miscreants do exactly that. They will upgrade or downgrade routers to support a feature set of their choosing.
A lot of malware uses TFTP to update itself as well.
Please note that I am NOT advocating the blocking of TFTP.
Thanks, Rob.