Dear Community,
We see more and more SSDP 'scan' in our network (coming from outside
into our AS). Of course our client have open vulnerables boxes (last one
is an enterprise class Synology with all defaults ports open:-)) which
could be used as a reflection SSDP client.
As SSDP is used with PnP
On Mon, 25 Mar 2019, marcel.duregards--- via NANOG wrote:
As SSDP is used with PnP for local LAN service discovery, we are
thinking of:
1) educate our client (take a lot of time)
2) filter incoming SSDP packets (UDP port 1900 at least) in our bgp border
Its always a bad idea to do packet filte
On Mon, 25 Mar 2019, marcel.duregards--- via NANOG wrote:
> As SSDP is used with PnP for local LAN service discovery, we are
> thinking of:
>
> 1) educate our client (take a lot of time)
> 2) filter incoming SSDP packets (UDP port 1900 at least) in our bgp
> border
Looking back at logs for VoIP
Barry Greene has already written up a great overview, and provides links
to best practices on ISP port filtering, pro & con.
http://www.senki.org/exploitable-port-filtering/
My advice is consistent with Barry's, but I should I done my web research
first :-)
On 25/03/2019 09:17, Sean Donelan wrote:
> Its always a bad idea to do packet filtering at your bgp border.
Wild assertion. Why?
DoS mitigation, iACLs, BGP security... I can think of lots of very
sensible reasons.
--
Tom
Blocked ssdp and move on
Ssdp is a horrible ddos vector
Comcast and many others already block it, because is the smart and best
thing to do
https://www.xfinity.com/support/articles/list-of-blocked-ports
On Mon, Mar 25, 2019 at 1:30 AM marcel.duregards--- via NANOG <
nanog@nanog.org> wrote:
>
Actually a little surprised to see port 25 blocked in both directions here
along with 1080. It’s like saying here’s your network but it’s limited.
Though I wouldn’t recommend spawning up 25 it’s still a legitimately used port
today as alike with 1080.
--
J. Hellenthal
The fact that there
On Mon, Mar 25, 2019 at 5:33 AM Jason Hellenthal
wrote:
> Actually a little surprised to see port 25 blocked in both directions here
> along with 1080. It’s like saying here’s your network but it’s limited.
>
> Though I wouldn’t recommend spawning up 25 it’s still a legitimately used
> port t
On 25/03/2019 13:44, Ca By wrote:
> Different topic. But most broadband providers have a similar
> list and it nearly always has port 25 blocked and you know why
https://ipv6.he.net/certification/faq.php
HE blocks IRC 6667 and SMTP 25 ports on https://tunnelbroker.net/
tunnels for the same reaso
Keep it short!
Roxanna I. Cieplinska
M: + 1 (415) 412-7699
Sent from my iPhone
> On Mar 22, 2019, at 5:50 PM, Michael Thomas wrote:
>
> I know it's a little tangential, but it's a huge operational issue for
> network operations too. Have any NANOG folks been paying attention to
> webauthn? i
My understanding is that 2-factor is one of the primary drivers for
webauthn. I feel that hardware dongles are the thing of the past, with
software now being available that runs on your smartphone and serves the
same function. Example - Google Authenticator.
__
Regards,
Mauricio Rodriguez
Fo
I will personally always prefer hardware based methods where the private
key data is never exposed over pure software based methods.
On Mon, Mar 25, 2019 at 9:32 AM Mauricio Rodriguez
wrote:
> My understanding is that 2-factor is one of the primary drivers for
> webauthn. I feel that hardware d
On Mon, 25 Mar 2019, Tom Hill wrote:
On 25/03/2019 09:17, Sean Donelan wrote:
Its always a bad idea to do packet filtering at your bgp border.
Wild assertion. Why?
My mistake trying to keep it simple. I should have just posted Barry
Greene's link.
http://www.senki.org/exploitable-port-fil
If your edge ingress ACLs are not 100% in sync all the time, you will
inevitably have Really Weird Stuff happen that will end up taking forever
to diagnose.
You will eventually end up closing off a port that something else needs to
work properly, and now you have to figure out how to resolve that.
On 3/25/19 9:08 AM, Tom Beecher wrote:
If your edge ingress ACLs are not 100% in sync all the time, you will
inevitably have Really Weird Stuff happen that will end up taking
forever to diagnose.
You will eventually end up closing off a port that something else needs
to work properly, and now
On Mon, 25 Mar 2019, Bryan Holloway wrote:
And we are careful to ensure that any updates are pushed to all edge
ingresses.
BGP-edge filters don't help with customer-to-customer packets within the
same ISP BGP autonomous area. So you would need CPE customer-edge filters
anyway. A small ISP mig
Hey Tom,
> If your edge ingress ACLs are not 100% in sync all the time, you will
> inevitably have Really Weird Stuff happen that will end up taking forever to
> diagnose.
You may at some cases have hard to troubleshoot issues, which is true
for everything, even when perfectly configured, becau
"It seems your position is 'i don't know how ACL
works on my platforms and i don't trust myself to write ACL, so i
should not do them',"
That is not my position at all, but thanks.
On Mon, Mar 25, 2019 at 12:43 PM Saku Ytti wrote:
> Hey Tom,
>
> > If your edge ingress ACLs are not 100% in sy
Have any of you seen the Comcast XB6 modem blocking TFTP and some SIP requests?
We put the modem into bridge mode and TFTP requests are successful. Reset it,
set security to the lowest setting, disable the firewall... no TFTP requests
pass.
Modem\Router - cable - laptop.
Of course we can't
This is being covered on local San Francisco Bay Area media, but if
network engineers aren't paying attention to the local news. Here is an
opportunity for tech folks in the Oakland area to participate in the
Earthquake Early Warning Test.
TEST INFORMATION
Date: Wednesday, March 27th, 2019
Ti
Well,
It has been a challenge. I am not sure who helped or fixed the problem,
but now anything hosted on softlayer.com is responding.
I am not sure if there was anyone lurking on the list that helped out, but
if you are, Thank You.
I have a batch of new stuff not working, but they may be one of
You may already be aware, but TFTP - like FTP - is not a NAT friendly
protocol and requires a helper or ALG to inspect the control channel in
order to open up and translate the connections used by the data channel
(which use unrelated high numbered UDP ports). If TFTP is not working
when NAT is
22 matches
Mail list logo
