I agree, At the very least things like SNMP/NTP should be blocked. I mean how many people actually run a legit NTP server out of their home? Dozens? And the people who run SNMP devices with the default/common communities aren’t the ones using it.
If the argument is that you need a Business class account to run a mail server then I have no problem extending that to DNS servers also. Cheers, Max > On Feb 26, 2016, at 8:55 AM, Mikael Abrahamsson <swm...@swm.pp.se> wrote: > > On Fri, 26 Feb 2016, Nick Hilliard wrote: > >> Traffic from dns-spoofing attacks generally has src port = 53 and dst port = >> random. If you block packets with udp src port=53 towards customers, you >> will also block legitimate return traffic if the customers run their own DNS >> servers or use opendns / google dns / etc. > > Sure, it's a very interesting discussion what ports should be blocked or not. > > http://www.bitag.org/documents/Port-Blocking.pdf > > This mentions on page 3.1, TCP(UDP)/25,135,139 and 445. They've been blocked > for a very long time to fix some issues, even though there is legitimate use > for these ports. > > So if you're blocking these ports, it seems like a small step to block > UDP/TCP/53 towards customers as well. I can't come up with an argument that > makes sense to block TCP/25 and then not block port UDP/TCP/53 as well. If > you're protecting the Internet from your customers misconfiguraiton by > blocking port 25 and the MS ports, why not 53 as well? > > This is a slippery slope of course, and judgement calls are not easy to make. > > -- > Mikael Abrahamsson email: swm...@swm.pp.se
