IPv6 has “Temporary” outbound IPs for different outbound sessions. These temp IPv6 IPs expire over time and change. I had four or five at one time on my mac for existing TCP sessions that were still open, but new traffic wouldn’t be allowed to talk to them. There's also a fixed inbound IPv6 address, but the possibility of guessing the single IPv6 IP on a /64 subnet of 18 quintillion IPv6 IPs is a bit harder. Well, a lot harder than script kiddies just scanning each port on each public IPv4 IP. So I guess it’s more like security through obscurity, but still nothing beats a properly configured firewall.
> On Oct 22, 2016, at 9:39 AM, Ken Hohhof <af...@kwisp.com> wrote: > > Takeaway quote: the Internet is “vulnerable to toasters”. > > I’ve got to suspect most of these cheap Chinese webcams (i.e. 90% of them) > and other devices are only accessible via a public IP address because of > UPnP. And apparently they are forwarding not just HTTP and HTTPS through the > router but also telnet and SSH. Death to UPnP! We don’t enable it when > customers lease routers from us. These cams should be using some sort of > proxy in the cloud to relay the video, not port forwarding on the customer’s > router. > > I also suspect a lot of these are outside the US. At the risk of opening up > the dreaded “NAT is not a firewall” and “IPv6 is great/terrible” debates, how > does IPv6 not increase the IoT threat? What is the typical setup for an IPv6 > enabled customer with toasters and webcams that get public IPs? Does the > router from the ISP or supplied by the customer still implement a stateful > firewall so that inbound traffic is blocked unless a connection has been > established by outbound traffic or a port forwarding rule? Or are there IPv6 > toasters with web and CLI access wide open? Does UPnP still exist with IPv6? > Maybe it’s no more of a problem with IPv6, but then I still wonder, why are > so many IoT devices accessible via telnet to exploit the hardcoded default > passwords? Maybe it’s not our customers buying cheap webcams at Costco, > maybe it’s really businesses putting their security cameras directly on > public IP addresses? > > <> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Jaime Solorza > Sent: Saturday, October 22, 2016 9:57 AM > To: Animal Farm <af@afmug.com> > Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick > > 'Smart' home devices used as weapons in website attack > http://www.bbc.com/news/technology-37738823 > <http://www.bbc.com/news/technology-37738823> > > On Oct 22, 2016 8:14 AM, "Mike Hammett" <af...@ics-il.net > <mailto:af...@ics-il.net>> wrote: >> Here's a tested config that works with standard IP Firewall. Once I get a >> chance, I'll make and test a version that uses raw. >> >> /ip firewall address-list >> add address=x.x.x.x/yy comment="My IPs" list=Public_Networks >> add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks >> add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation" >> list=Public_Networks >> >> /ip firewall filter >> add action=drop chain=forward comment="Block Spoofed Traffic" >> out-interface=[upstream interface] src-address-list=!Public_Networks >> >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net>> >> To: af@afmug.com <mailto:af@afmug.com> >> Sent: Friday, October 21, 2016 12:17:13 PM >> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick >> >> /ip firewall address-list >> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" >> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream >> customer X IPs" >> >> /ip firewall filter >> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no >> out-interface="To-Upstream" dst-address-list=!"Public-IPs" >> >> That was largely composed off of the top of my head and typed on my phone, >> so it may not be completely accurate. >> >> >> You should also do it on customer-facing ports not allowing anything to come >> in, but that would be best approached once Mikrotik and the per interface >> setting for unicast reverse path filtering. You would then said customer >> facing interfaces to strict and all other interfaces to loose. They accepted >> the feature request, just haven't implemented it yet. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net>> >> To: af@afmug.com <mailto:af@afmug.com> >> Sent: Friday, October 21, 2016 11:21:35 AM >> Subject: [AFMUG] Another large DDoS, Stop Being a Dick >> >> There's another large DDoS going on now. Go to this page to see if you can >> be used for UDP amplification (or other spoofing) attacks: >> >> https://www.caida.org/projects/spoofer/ >> <https://www.caida.org/projects/spoofer/> >> >> Go to these pages for more longer term bad behavior monitoring: >> >> https://www.shadowserver.org/wiki/ <https://www.shadowserver.org/wiki/> >> https://radar.qrator.net/ <https://radar.qrator.net/> >> >> >> Maybe we need to start a database of ASNs WISPs are using and start naming >> and shaming them when they have bad actors on their network. This is >> serious, people. Take it seriously. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/>
