[AusNOG] large data bills on telstra.extranet

Tom.Minchin at csiro.au Tom.Minchin at csiro.au
Fri Dec 6 14:14:30 EST 2013 

Hi all,

Thanks for all the replies and tips, and great direct action from Telstra techs on the list.

It appears there a number of issues that we should have considered before using telstra.extranet apn. 

1. There is no firewall on this connection and the internet is naturally noisy, so if you have a small data plan you need to consider the general noise in your costs.
2. If you have telemetry devices make sure they are safe against being hijacked in this particular case telemetry boxes can be poorly designed and we found one variety of unit had open recursive DNS servers (the manufacturer has been advised, I'll pass on the details to auscert).These were being scanned and ip addresses sold off to as DNS amplifier DDoS agents.

2a) thus if your unit was vulnerable, you would cop a few gigabytes of DNS traffic while it attacked Facebook or whomever.
2b) if your unit isn't vulnerable but you are lucky enough to be allocated an IP address previously recorded as being vulnerable, you still could cop a lot of traffic from "hackers" still trying to access the previous device. There is no point trying to firewall your device as your traffic is metered and billed what is sent to your device, regardless of whether it is received.

In good news, Telstra are now firewalling unwanted DNS traffic to telstra.extranet so this should not cause problems as of yesterday. For either vulnerable or non vulnerable units.

Tom


________________________________________
From: Minchin, Tom (CSIRO IM&T, Yarralumla)
Sent: Monday, 25 November 2013 3:19 PM
To: ausnog at lists.ausnog.net
Subject: large data bills on telstra.extranet

Hi,

I’m looking to talk to anyone who has been receiving large data bills using the APN Telstra.extranet on Telstra’s mobile network.  We’ve got a lot of sensor equipment which uses it and over the last 3 months have been receiving large bills due to what appears to be DoS attacks on the public IP space that Telstra uses.

I suspect we’ll have to move up the level of maturity of technical design to not use public IP (instead have a closed APN).

Some background info I dug up: http://forums.whirlpool.net.au/archive/2175897 and Maxon had a link warning customers too (but their site appears to be down today).

Tom

More information about the AusNOG mailing list