SSDP, DNS and other amplification is a big issue for large consumer networks like Comcast.
This is something I’m hoping other vendors take seriously (eg: Netgear) when it comes to their usage of DNSMASQ and other tools on-box and iptables configs that promote spoofing by using IP ranges vs constraining rules with the ingress/egress interface. It’s these simple amateur errors that can turn a port 53 redirect into a spoofing instance when it only passes the INPUT rule vs -t NAT rule. Please block SSDP and Chargen on your networks. Consider rate-limiting DNS & SNMP to 1% or something appropriate to avoid issues. Make sure you permit TCP/53 for DNS queries so if TC=1 lookups work. - Jared > On Feb 25, 2016, at 10:52 PM, Paras Jha <pa...@protrafsolutions.com> wrote: > > It's interesting that they'd call about DNS amplification... You don't > typically see DNS amplified floods coming from home ISPs. I would imagine > SSDP amplification is a far greater issue for any home ISP. > > On Thu, Feb 25, 2016 at 10:46 PM, Mike Hammett <na...@ics-il.net> wrote: > >> I know. It seems odd, doesn't it? >> >> They're actually suspending people's accounts for DNS amplification. My >> aunt got a call about it tonight. I had already firewalled that off on her >> router before they called, but they're doing it. There's more that they >> could do I'm sure, but they're doing it. Maybe it's flooding their upstream >> causing other service issues.... but they're doing it. >> >> So many others aren't doing much at all. >> >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> Midwest-IX >> http://www.midwest-ix.com >>
