I think the traffic Amos is referring to is random traffic hitting the devices causing them to "wake up". Everyone here knows a simple dump on port 22 will show traffic. We have a /22 that gets an avg of 1-2 mbit of random traffic (mainly 22 and 3389).
On Wed, Apr 10, 2019 at 9:49 AM Ca By <[email protected]> wrote: > > > On Wed, Apr 10, 2019 at 6:23 AM Amos Rosenboim <[email protected]> > wrote: > >> Hello NANOG, >> >> >> >> We are discussing internally and wanted to get more opinions and >> especially more data on what are people actually doing. >> >> We are running an ISP network with about 150K fixed broadband users, >> running dual stack (IPv4 behind CGNAT). >> >> On the ISP network IPv6 is simply routed, and is firewalled on the CPE. >> >> >> >> This network added mobile services about a year ago, also dual stack (we >> have no control on the mobile devices so we were too concerned to choose >> IPv6 only access). >> >> We have an ongoing discussion about Gi firewall (adding a firewall >> between the subscribers and the internet, allowing only subscriber >> initiated connections), for the IPv6 traffic. >> >> >> >> The firewall is doing very little security, the ruleset is very basic, >> allowing anything from subscribers to the internet and blocking all traffic >> from the internet towards the subscribers. >> >> We have a few rules to limit the number of connections per subscriber (to >> a relatively high number) and that is it. >> >> >> >> One of the arguments in favor of having the firewall is that unsolicited >> traffic from the internet can “wake” idle mobile devices, and create >> signaling (paging) storms as well as drain user batteries. >> >> >> >> On the other hand, allowing only subscriber initiated traffic is mostly >> achievable using ACLs on the mobile core facing routers, or is it with the >> growing percentage of UDP traffic ? >> >> >> >> BTW – I don’t mention IPv4 traffic on the mobile network as it’s all >> behind CGNAT which don’t allow internet initiated connections. >> >> >> >> Anyway, we are very interested to know hear more opinions, and >> especially to hear what are other mobile operators do. >> >> >> >> Regards >> >> >> >> Amos >> >> >> > > Step outside the theoretical and model your real threats. Attack yourself > of pay someone to do a real pentest. > > 1. Does a hacker know the ipv6 of your subs? How frequently does the sub > get a new 128 bit address? > > 2. What does the hacker get from a paging storm? Economic benefit ? > Lolz? Has a malicious paging storm ever happened in the real world? What > level of effort would be required to trigger that? Is that level of effort > more or less than it would take to tip over a stateful firewall (session > exhaustion, pps attack, alg bugs, vulns in the fw > > https://www.zdnet.com/article/cisco-removed-its-seventh-backdoor-account-this-year-and-thats-a-good-thing/ > ) > > 3. Assuming the hacker gleans the address of the sub, what ports are open > in the real world? What can a hacker connect to and accomplish? > > > >> >> >> >> >> >
