[nsp-sec] Port 53 Blocking on DSL/Cable Networks

Fri Feb 1 09:22:47 EST 2008

If you have the ability to look at your netflow for records showing udp packets towards 85.255.112-116.*:53.

That is a range used by zlob + dnschanger + fake codec.

donald.smith at qwest.com giac

________________________________

From: nsp-security-bounces at puck.nether.net on behalf of Krista Hickey
Sent: Thu 1/31/2008 4:53 PM
To: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Port 53 Blocking on DSL/Cable Networks

----------- nsp-security Confidential --------

On 31-Jan-2008, at 13:16, <jonathan.curtis at bell.ca>
<jonathan.curtis at bell.ca  > wrote:
> Has anyone taken a serious look at blocking these ports externally on
> their networks?
>
> Reasons I ask:
>
> 1. Prevent Home Gateway Pharming / Phishing
>
> http://www.news.com/8301-10789_3-9855195-57.html
>
> http://www.cert.org.mx/imagenes/dns.png

On 31-Jan-2008, Joe Abley wrote:
>Blocking 53/udp is a really bad way to try and fix that problem.

Agreed. After all, blocking is bad ;)

That said, I understand Jonathan's pain. Our company has hundreds of
thousands of customers with jebus knows what routing or home networking
devices that could be vulnerable to this, or like, attack (my company
only provides routing devices to a very small subset of business
customers). While ultimately it's a vendor<-->customer issue the reality
is that we feel the pain be it network impact, abuse desk impact,
support impact, etc so what to do? So far the only thing I can think of
is improved network visibility and improved feedback loops between ISPs,
TLDs, etc but I'm open to ideas.

Krista
7992

PS - This discussion probably should be on -discuss

Do you really need to print this email? Help preserve our environment! Devez-vous vraiment imprimer ce courriel? Pensons a l'environnement!
__________________________________________________________

The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be.

L'information apparaissant dans ce message electronique et dans les documents qui y sont joints est de nature confidentielle ou privilegiee. Si ce message vous est parvenu par erreur et que vous n'en etes pas le destinataire vise, vous etes par les presentes avise que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous etes donc prie d'en informer immediatement l'expediteur et de detruire ce message, ainsi que les documents qui y sont joints, le cas echeant.

__________________________________________________________

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.