Routers have firewalls... But UPNP works on ipv6 :(
On Oct 22, 2016 10:39 AM, "Ken Hohhof" <af...@kwisp.com> wrote: > Takeaway quote: the Internet is “vulnerable to toasters”. > > > > I’ve got to suspect most of these cheap Chinese webcams (i.e. 90% of them) > and other devices are only accessible via a public IP address because of > UPnP. And apparently they are forwarding not just HTTP and HTTPS through > the router but also telnet and SSH. Death to UPnP! We don’t enable it > when customers lease routers from us. These cams should be using some sort > of proxy in the cloud to relay the video, not port forwarding on the > customer’s router. > > > > I also suspect a lot of these are outside the US. At the risk of opening > up the dreaded “NAT is not a firewall” and “IPv6 is great/terrible” > debates, how does IPv6 not increase the IoT threat? What is the typical > setup for an IPv6 enabled customer with toasters and webcams that get > public IPs? Does the router from the ISP or supplied by the customer still > implement a stateful firewall so that inbound traffic is blocked unless a > connection has been established by outbound traffic or a port forwarding > rule? Or are there IPv6 toasters with web and CLI access wide open? Does > UPnP still exist with IPv6? Maybe it’s no more of a problem with IPv6, but > then I still wonder, why are so many IoT devices accessible via telnet to > exploit the hardcoded default passwords? Maybe it’s not our customers > buying cheap webcams at Costco, maybe it’s really businesses putting their > security cameras directly on public IP addresses? > > > > > > *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Jaime Solorza > *Sent:* Saturday, October 22, 2016 9:57 AM > *To:* Animal Farm <af@afmug.com> > *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick > > > > 'Smart' home devices used as weapons in website attack > http://www.bbc.com/news/technology-37738823 > > > > On Oct 22, 2016 8:14 AM, "Mike Hammett" <af...@ics-il.net> wrote: > > Here's a tested config that works with standard IP Firewall. Once I get a > chance, I'll make and test a version that uses raw. > > /ip firewall address-list > add address=x.x.x.x/yy comment="My IPs" list=Public_Networks > add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks > add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation" > list=Public_Networks > > /ip firewall filter > add action=drop chain=forward comment="Block Spoofed Traffic" > out-interface=[upstream interface] src-address-list=!Public_Networks > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > > *From: *"Mike Hammett" <af...@ics-il.net> > *To: *af@afmug.com > *Sent: *Friday, October 21, 2016 12:17:13 PM > *Subject: *Re: [AFMUG] Another large DDoS, Stop Being a Dick > > /ip firewall address-list > add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" > add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream > customer X IPs" > > /ip firewall filter > add action=drop chain=forward comment="Drop spoofed traffic" disabled=no > out-interface="To-Upstream" dst-address-list=!"Public-IPs" > > That was largely composed off of the top of my head and typed on my phone, > so it may not be completely accurate. > > > You should also do it on customer-facing ports not allowing anything to > come in, but that would be best approached once Mikrotik and the per > interface setting for unicast reverse path filtering. You would then said > customer facing interfaces to strict and all other interfaces to loose. > They accepted the feature request, just haven't implemented it yet. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > > *From: *"Mike Hammett" <af...@ics-il.net> > *To: *af@afmug.com > *Sent: *Friday, October 21, 2016 11:21:35 AM > *Subject: *[AFMUG] Another large DDoS, Stop Being a Dick > > There's another large DDoS going on now. Go to this page to see if you can > be used for UDP amplification (or other spoofing) attacks: > > https://www.caida.org/projects/spoofer/ > > Go to these pages for more longer term bad behavior monitoring: > > https://www.shadowserver.org/wiki/ > https://radar.qrator.net/ > > > Maybe we need to start a database of ASNs WISPs are using and start naming > and shaming them when they have bad actors on their network. This is > serious, people. Take it seriously. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > > > > > > > >
