[AusNOG] large data bills on telstra.extranet
Dobbins, Roland
rdobbins at arbor.net
Fri Dec 6 14:52:54 EST 2013
On Dec 6, 2013, at 10:14 AM, Tom.Minchin at csiro.au wrote:
> There is no point trying to firewall your device as your traffic is metered and billed what is sent to your device, regardless of whether it is received.
Thanks for posting this, including the follow-up - it's a valuable lesson for both wireless and wireline broadband operators.
Some simple policies deployed by default (along with an AUP proviso prohibiting the deployment of servers on broadband access networks, which ought to be the default, in most cases) with an opt-out proviso allowing 'advanced' users to remove these restrictions via a Web portal tied into the provisioning system, would greatly reduce the abuse of misconfigured devices on broadband access networks for UDP-based reflection/amplification attacks:
-----
access-list 101 remark Apply these stanzas inbound on coreward customer aggregation gateway interfaces.
access-list 101 remark Allow UDP/500 for IPSEC VPN ISAKMP.
access-list 101 permit udp any 172.19.25.0 0.0.0.255 eq 500
access-list 101 remark Deny all other inbound UDP to reserved ports on customer nodes.
access-list 101 deny udp any 172.19.25.0 0.0.0.255 lt 1024
access-list 101 remark Allow all other IP traffic to customer nodes - VERY important!
access-list 101 permit ip any 172.19.25.0 0.0.0.255
-----
If we want to be more granular, we can do this:
-----
access-list 101 remark Apply these stanzas inbound on coreward customer aggregation gateway interfaces.
access-list 101 remark Deny all inbound UDP to chargen on customer nodes.
access-list 101 deny udp any 172.19.25.0 0.0.0.255 eq 19
access-list 101 remark Deny inbound UDP to DNS on customer nodes.
access-list 101 deny udp any 172.19.25.0 0.0.0.255 eq 53
access-list 101 remark Deny all inbound UDP to SNMP on customer nodes.
access-list 101 deny udp any 172.19.25.0 0.0.0.255 eq 161
access-list 101 remark Deny all inbound UDP to ntp on customer nodes.
access-list 101 deny udp any 172.19.25.0 0.0.0.255 eq 123
access-list 101 remark Allow all other IP traffic to customer nodes - VERY important!
access-list 101 permit ip any 172.19.25.0 0.0.0.255
-----
We'd also need to add RADIUS and other services as warranted to the second example; the first example is intended to be deployed once, without the need for tinkering.
For wireless operators in particular, something like this should be considered in order to avoid billing and battery-drain issues due to aggressive scanning on services like TCP/22 and TCP/445, as well as abuse for reflection/amplification DDoS attacks:
-----
access-list 101 remark Apply these stanzas inbound on peering/transit interfaces or on coreward aggregation gateway interfaces.
access-list 101 remark Allow high-port TCP for sessions initiated by wireless nodes.
access-list 101 permit tcp any 172.19.25.0 0.0.0.255 gt 1023 established
access-list 101 remark Deny all other inbound TCP to wireless nodes (ftp sessions must be PASV).
access-list 101 deny tcp any 172.19.25.0 0.0.0.255 any
access-list 101 remark Allow UDP/500 for IPSEC VPN ISAKMP.
access-list 101 permit udp any 172.19.25.0 0.0.0.255 eq 500
access-list 101 remark Deny all other inbound UDP to reserved ports on wireless nodes.
access-list 101 deny udp any 172.19.25.0 0.0.0.255 lt 1024
access-list 101 remark Deny ping to wireless nodes - if ping is required, eliminate this stanza & use QoS, instead.
access-list 101 deny icmp any 172.19.25.0 0.0.0.255 echo-request
access-list 101 remark Allow all other IP traffic to wireless nodes - VERY important!
access-list 101 remark Depending on where this ACL is applied, permit ip any any may be preferable.
access-list 101 permit ip any 172.19.25.0 0.0.0.255
-----
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the AusNOG
mailing list