On Wed, Apr 10, 2019 at 7:06 AM Dovid Bender <do...@telecurve.com> wrote:
> I think the traffic Amos is referring to is random traffic hitting the > devices causing them to "wake up". Everyone here knows a simple dump on > port 22 will show traffic. We have a /22 that gets an avg of 1-2 mbit of > random traffic (mainly 22 and 3389). > I believe he was talking about ipv6. Does this backscatter happen in ipv6 given how impractical scanning ipv6 is ? > On Wed, Apr 10, 2019 at 9:49 AM Ca By <cb.li...@gmail.com> wrote: > >> >> >> On Wed, Apr 10, 2019 at 6:23 AM Amos Rosenboim <a...@oasis-tech.net> >> wrote: >> >>> Hello NANOG, >>> >>> >>> >>> We are discussing internally and wanted to get more opinions and >>> especially more data on what are people actually doing. >>> >>> We are running an ISP network with about 150K fixed broadband users, >>> running dual stack (IPv4 behind CGNAT). >>> >>> On the ISP network IPv6 is simply routed, and is firewalled on the CPE. >>> >>> >>> >>> This network added mobile services about a year ago, also dual stack (we >>> have no control on the mobile devices so we were too concerned to choose >>> IPv6 only access). >>> >>> We have an ongoing discussion about Gi firewall (adding a firewall >>> between the subscribers and the internet, allowing only subscriber >>> initiated connections), for the IPv6 traffic. >>> >>> >>> >>> The firewall is doing very little security, the ruleset is very basic, >>> allowing anything from subscribers to the internet and blocking all traffic >>> from the internet towards the subscribers. >>> >>> We have a few rules to limit the number of connections per subscriber >>> (to a relatively high number) and that is it. >>> >>> >>> >>> One of the arguments in favor of having the firewall is that unsolicited >>> traffic from the internet can “wake” idle mobile devices, and create >>> signaling (paging) storms as well as drain user batteries. >>> >>> >>> >>> On the other hand, allowing only subscriber initiated traffic is mostly >>> achievable using ACLs on the mobile core facing routers, or is it with the >>> growing percentage of UDP traffic ? >>> >>> >>> >>> BTW – I don’t mention IPv4 traffic on the mobile network as it’s all >>> behind CGNAT which don’t allow internet initiated connections. >>> >>> >>> >>> Anyway, we are very interested to know hear more opinions, and >>> especially to hear what are other mobile operators do. >>> >>> >>> >>> Regards >>> >>> >>> >>> Amos >>> >>> >>> >> >> Step outside the theoretical and model your real threats. Attack yourself >> of pay someone to do a real pentest. >> >> 1. Does a hacker know the ipv6 of your subs? How frequently does the sub >> get a new 128 bit address? >> >> 2. What does the hacker get from a paging storm? Economic benefit ? >> Lolz? Has a malicious paging storm ever happened in the real world? What >> level of effort would be required to trigger that? Is that level of effort >> more or less than it would take to tip over a stateful firewall (session >> exhaustion, pps attack, alg bugs, vulns in the fw >> >> https://www.zdnet.com/article/cisco-removed-its-seventh-backdoor-account-this-year-and-thats-a-good-thing/ >> ) >> >> 3. Assuming the hacker gleans the address of the sub, what ports are open >> in the real world? What can a hacker connect to and accomplish? >> >> >> >>> >>> >>> >>> >>> >>