[nsp-sec] DNS and SNMP Reflection Attack Hosts

Mon Jun 24 13:30:39 EDT 2013

Not faulting anyone here. We have some modems that are contributing. We have told the vendors NOT to enable such junk on the wan side (many, many times) but for some reason they don't get it.

Maybe we need something like this for cpe providers?
http://tools.ietf.org/html/rfc3871

Customer managed devices are out of scope in that rfc :(

(coffee != sleep) & (!coffee == sleep)
 Donald.Smith at centurylink.com

From: Joel L. Rosenblatt [joel at columbia.edu]
Sent: Monday, June 24, 2013 11:21 AM
To: Smith, Donald
Cc: Tom Paseka; nsp-security at puck.nether.net; Krista Hickey
Subject: Re: [nsp-sec] DNS and SNMP Reflection Attack Hosts

Agree - but the printers are not owned by the University, then are
just plugged into our network - we are just an ISP :-)

Maybe HP and the other manufacturers could be convinced that this is a bad idea

Joel

Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3

On Mon, Jun 24, 2013 at 1:14 PM, Smith, Donald
<Donald.Smith at centurylink.com> wrote:
> As designed snmp shouldn't be open to the internet with public as the
> community. That is a POOR design.
>
> Same for dns on customers gateways :(
>
>
>
> Having said that ack for ours (Qwest, savvis, embarq, CenturyTel...)
>
>
>
> Would a netflow report showing who is being attacked by these reflectors be
> valuable to the community?
>
>
>
> I may have to do one anyways to get timestamps as date is usually not good
> enough for our abuse staff to notify dyn ip customers:)
>
>
>
>
>
> (coffee != sleep) & (!coffee == sleep)
>  Donald.Smith at centurylink.com
> ________________________________
> From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Tom
> Paseka [tom at cloudflare.com]
> Sent: Monday, June 24, 2013 10:44 AM
> To: Joel L. Rosenblatt
> Cc: nsp-security at puck.nether.net; Krista Hickey
> Subject: Re: [nsp-sec] DNS and SNMP Reflection Attack Hosts
>
> ----------- nsp-security Confidential --------
>
> Joel,
>
> On Mon, Jun 24, 2013 at 9:39 AM, Joel L. Rosenblatt
> <joel at columbia.edu>wrote:
>
>> ----------- nsp-security Confidential --------
>>
>>
>> Now, my question is - are these machines compromised or are they just
>> acting as designed
>>
>>
> With SNMP reflection - they're acting as designed. Someone is spoofing an
> IP address - then doing a SNMP get against the printers.
>
> You should lock down SNMP access to them.
>
> Cheers,
> Tom
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________