I don't v6 stats yet but it would be interesting to see. I did a tcpdump on one v6 IP and saw hundreds of requests to port 25.
On Wed, Apr 10, 2019 at 10:43 AM Ca By <cb.li...@gmail.com> wrote: > > > On Wed, Apr 10, 2019 at 7:06 AM Dovid Bender <do...@telecurve.com> wrote: > >> I think the traffic Amos is referring to is random traffic hitting the >> devices causing them to "wake up". Everyone here knows a simple dump on >> port 22 will show traffic. We have a /22 that gets an avg of 1-2 mbit of >> random traffic (mainly 22 and 3389). >> > > I believe he was talking about ipv6. > > Does this backscatter happen in ipv6 given how impractical scanning ipv6 > is ? > > > >> On Wed, Apr 10, 2019 at 9:49 AM Ca By <cb.li...@gmail.com> wrote: >> >>> >>> >>> On Wed, Apr 10, 2019 at 6:23 AM Amos Rosenboim <a...@oasis-tech.net> >>> wrote: >>> >>>> Hello NANOG, >>>> >>>> >>>> >>>> We are discussing internally and wanted to get more opinions and >>>> especially more data on what are people actually doing. >>>> >>>> We are running an ISP network with about 150K fixed broadband users, >>>> running dual stack (IPv4 behind CGNAT). >>>> >>>> On the ISP network IPv6 is simply routed, and is firewalled on the CPE. >>>> >>>> >>>> >>>> This network added mobile services about a year ago, also dual stack >>>> (we have no control on the mobile devices so we were too concerned to >>>> choose IPv6 only access). >>>> >>>> We have an ongoing discussion about Gi firewall (adding a firewall >>>> between the subscribers and the internet, allowing only subscriber >>>> initiated connections), for the IPv6 traffic. >>>> >>>> >>>> >>>> The firewall is doing very little security, the ruleset is very basic, >>>> allowing anything from subscribers to the internet and blocking all traffic >>>> from the internet towards the subscribers. >>>> >>>> We have a few rules to limit the number of connections per subscriber >>>> (to a relatively high number) and that is it. >>>> >>>> >>>> >>>> One of the arguments in favor of having the firewall is that >>>> unsolicited traffic from the internet can “wake” idle mobile devices, and >>>> create signaling (paging) storms as well as drain user batteries. >>>> >>>> >>>> >>>> On the other hand, allowing only subscriber initiated traffic is mostly >>>> achievable using ACLs on the mobile core facing routers, or is it with the >>>> growing percentage of UDP traffic ? >>>> >>>> >>>> >>>> BTW – I don’t mention IPv4 traffic on the mobile network as it’s all >>>> behind CGNAT which don’t allow internet initiated connections. >>>> >>>> >>>> >>>> Anyway, we are very interested to know hear more opinions, and >>>> especially to hear what are other mobile operators do. >>>> >>>> >>>> >>>> Regards >>>> >>>> >>>> >>>> Amos >>>> >>>> >>>> >>> >>> Step outside the theoretical and model your real threats. Attack >>> yourself of pay someone to do a real pentest. >>> >>> 1. Does a hacker know the ipv6 of your subs? How frequently does the sub >>> get a new 128 bit address? >>> >>> 2. What does the hacker get from a paging storm? Economic benefit ? >>> Lolz? Has a malicious paging storm ever happened in the real world? What >>> level of effort would be required to trigger that? Is that level of effort >>> more or less than it would take to tip over a stateful firewall (session >>> exhaustion, pps attack, alg bugs, vulns in the fw >>> >>> https://www.zdnet.com/article/cisco-removed-its-seventh-backdoor-account-this-year-and-thats-a-good-thing/ >>> ) >>> >>> 3. Assuming the hacker gleans the address of the sub, what ports are >>> open in the real world? What can a hacker connect to and accomplish? >>> >>> >>> >>>> >>>> >>>> >>>> >>>> >>>