subject:"\[WISPA\] Another Large DDoS, Stop Being a Dick"

Re: [WISPA] Another Large DDoS, Stop Being a Dick

2016-10-22 Thread Mike Hammett

Here's a tested config that works with standard IP Firewall. Once I get a 
chance, I'll make and test a version that uses raw. 

/ip firewall address-list 
add address=x.x.x.x/yy comment="My IPs" list=Public_Networks 
add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks 
add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation" 
list=Public_Networks 

/ip firewall filter 
add action=drop chain=forward comment="Block Spoofed Traffic" 
out-interface=[upstream interface] src-address-list=!Public_Networks 





- 
Mike Hammett 

Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP 

- Original Message -

From: "Mike Hammett" <wispawirel...@ics-il.net> 
To: "WISPA General List" <wireless@wispa.org> 
Sent: Friday, October 21, 2016 12:17:39 PM 
Subject: Re: [WISPA] Another Large DDoS, Stop Being a Dick 


/ip firewall address-list 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs" 

/ip firewall filter 
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs" 

That was largely composed off of the top of my head and typed on my phone, so 
it may not be completely accurate. 


You should also do it on customer-facing ports not allowing anything to come 
in, but that would be best approached once Mikrotik and the per interface 
setting for unicast reverse path filtering. You would then said customer facing 
interfaces to strict and all other interfaces to loose. They accepted the 
feature request, just haven't implemented it yet. 




- 
Mike Hammett 

Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP 

- Original Message -

From: "Mike Hammett" <wispawirel...@ics-il.net> 
To: "WISPA General List" <wireless@wispa.org> 
Sent: Friday, October 21, 2016 11:23:24 AM 
Subject: [WISPA] Another Large DDoS, Stop Being a Dick 


There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks: 

https://www.caida.org/projects/spoofer/ 

Go to these pages for more longer term bad behavior monitoring: 

https://www.shadowserver.org/wiki/ 
https://radar.qrator.net/ 


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously. 




- 
Mike Hammett 

Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP 


___ 
Wireless mailing list 
Wireless@wispa.org 
http://lists.wispa.org/mailman/listinfo/wireless 


___ 
Wireless mailing list 
Wireless@wispa.org 
http://lists.wispa.org/mailman/listinfo/wireless 

___
Wireless mailing list
Wireless@wispa.org
http://lists.wispa.org/mailman/listinfo/wireless

Re: [WISPA] Another Large DDoS, Stop Being a Dick

2016-10-21 Thread Mike Hammett

If you have a default route anywhere, that won't work. 

If you have more than one upstream with differing routes, that may not work. 

Once Mikrotik adds the ability to set it per interface, that'll help. 




- 
Mike Hammett 

Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP 

- Original Message -

From: "Philip Dorr" <wirel...@judgementgaming.com> 
To: "WISPA General List" <wireless@wispa.org> 
Sent: Friday, October 21, 2016 3:15:21 PM 
Subject: Re: [WISPA] Another Large DDoS, Stop Being a Dick 


Wouldn't setting RP filter to strict fix the spoofing issue? If not, why not? 


/ip settings set rp-filter=strict 


On Fri, Oct 21, 2016 at 12:22 PM, Mike Hammett < wispawirel...@ics-il.net > 
wrote: 




Sorry, src-address-list, not dst-address-list. 




- 
Mike Hammett 

Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP 



From: "Mike Hammett" < wispawirel...@ics-il.net > 
To: "WISPA General List" < wireless@wispa.org > 
Sent: Friday, October 21, 2016 12:17:39 PM 
Subject: Re: [WISPA] Another Large DDoS, Stop Being a Dick 




/ip firewall address-list 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs" 

/ip firewall filter 
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs" 

That was largely composed off of the top of my head and typed on my phone, so 
it may not be completely accurate. 


You should also do it on customer-facing ports not allowing anything to come 
in, but that would be best approached once Mikrotik and the per interface 
setting for unicast reverse path filtering. You would then said customer facing 
interfaces to strict and all other interfaces to loose. They accepted the 
feature request, just haven't implemented it yet. 




- 
Mike Hammett 

Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP 



From: "Mike Hammett" < wispawirel...@ics-il.net > 
To: "WISPA General List" < wireless@wispa.org > 
Sent: Friday, October 21, 2016 11:23:24 AM 
Subject: [WISPA] Another Large DDoS, Stop Being a Dick 


There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks: 

https://www.caida.org/projects/spoofer/ 

Go to these pages for more longer term bad behavior monitoring: 

https://www.shadowserver.org/wiki/ 
https://radar.qrator.net/ 


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously. 




- 
Mike Hammett 

Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP 


___ 
Wireless mailing list 
Wireless@wispa.org 
http://lists.wispa.org/mailman/listinfo/wireless 


___ 
Wireless mailing list 
Wireless@wispa.org 
http://lists.wispa.org/mailman/listinfo/wireless 


___ 
Wireless mailing list 
Wireless@wispa.org 
http://lists.wispa.org/mailman/listinfo/wireless 





___ 
Wireless mailing list 
Wireless@wispa.org 
http://lists.wispa.org/mailman/listinfo/wireless 

___
Wireless mailing list
Wireless@wispa.org
http://lists.wispa.org/mailman/listinfo/wireless

Re: [WISPA] Another Large DDoS, Stop Being a Dick

2016-10-21 Thread Philip Dorr

Wouldn't setting RP filter to strict fix the spoofing issue?  If not, why
not?

/ip settings set rp-filter=strict

On Fri, Oct 21, 2016 at 12:22 PM, Mike Hammett <wispawirel...@ics-il.net>
wrote:

> Sorry, src-address-list, not dst-address-list.
>
>
>
> -
> Mike Hammett
>
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
> *From: *"Mike Hammett" <wispawirel...@ics-il.net>
> *To: *"WISPA General List" <wireless@wispa.org>
> *Sent: *Friday, October 21, 2016 12:17:39 PM
> *Subject: *Re: [WISPA] Another Large DDoS, Stop Being a Dick
>
>
> /ip firewall address-list
> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream
> customer X IPs"
>
> /ip firewall filter
> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no
> out-interface="To-Upstream" dst-address-list=!"Public-IPs"
>
> That was largely composed off of the top of my head and typed on my phone,
> so it may not be completely accurate.
>
>
> You should also do it on customer-facing ports not allowing anything to
> come in, but that would be best approached once Mikrotik and the per
> interface setting for unicast reverse path filtering. You would then said
> customer facing interfaces to strict and all other interfaces to loose.
> They accepted the feature request, just haven't implemented it yet.
>
>
>
> -
> Mike Hammett
>
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
> *From: *"Mike Hammett" <wispawirel...@ics-il.net>
> *To: *"WISPA General List" <wireless@wispa.org>
> *Sent: *Friday, October 21, 2016 11:23:24 AM
> *Subject: *[WISPA] Another Large DDoS, Stop Being a Dick
>
> There's another large DDoS going on now. Go to this page to see if you can
> be used for UDP amplification (or other spoofing) attacks:
>
> https://www.caida.org/projects/spoofer/
>
> Go to these pages for more longer term bad behavior monitoring:
>
> https://www.shadowserver.org/wiki/
> https://radar.qrator.net/
>
>
> Maybe we need to start a database of ASNs WISPs are using and start naming
> and shaming them when they have bad actors on their network. This is
> serious, people. Take it seriously.
>
>
>
> -
> Mike Hammett
>
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>
> ___
> Wireless mailing list
> Wireless@wispa.org
> http://lists.wispa.org/mailman/listinfo/wireless
>
>
> ___
> Wireless mailing list
> Wireless@wispa.org
> http://lists.wispa.org/mailman/listinfo/wireless
>
>
> ___
> Wireless mailing list
> Wireless@wispa.org
> http://lists.wispa.org/mailman/listinfo/wireless
>
>
___
Wireless mailing list
Wireless@wispa.org
http://lists.wispa.org/mailman/listinfo/wireless

Re: [WISPA] Another Large DDoS, Stop Being a Dick

2016-10-21 Thread Mike Hammett

/ip firewall address-list 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs" 

/ip firewall filter 
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs" 

That was largely composed off of the top of my head and typed on my phone, so 
it may not be completely accurate. 


You should also do it on customer-facing ports not allowing anything to come 
in, but that would be best approached once Mikrotik and the per interface 
setting for unicast reverse path filtering. You would then said customer facing 
interfaces to strict and all other interfaces to loose. They accepted the 
feature request, just haven't implemented it yet. 




- 
Mike Hammett 

Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP 

- Original Message -

From: "Mike Hammett" <wispawirel...@ics-il.net> 
To: "WISPA General List" <wireless@wispa.org> 
Sent: Friday, October 21, 2016 11:23:24 AM 
Subject: [WISPA] Another Large DDoS, Stop Being a Dick 


There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks: 

https://www.caida.org/projects/spoofer/ 

Go to these pages for more longer term bad behavior monitoring: 

https://www.shadowserver.org/wiki/ 
https://radar.qrator.net/ 


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously. 




- 
Mike Hammett 

Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP 


___ 
Wireless mailing list 
Wireless@wispa.org 
http://lists.wispa.org/mailman/listinfo/wireless 

___
Wireless mailing list
Wireless@wispa.org
http://lists.wispa.org/mailman/listinfo/wireless

Re: [WISPA] Another Large DDoS, Stop Being a Dick

2016-10-21 Thread Mike Hammett

Sorry, src-address-list, not dst-address-list. 




- 
Mike Hammett 

Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP 

- Original Message -

From: "Mike Hammett" <wispawirel...@ics-il.net> 
To: "WISPA General List" <wireless@wispa.org> 
Sent: Friday, October 21, 2016 12:17:39 PM 
Subject: Re: [WISPA] Another Large DDoS, Stop Being a Dick 


/ip firewall address-list 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs" 

/ip firewall filter 
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs" 

That was largely composed off of the top of my head and typed on my phone, so 
it may not be completely accurate. 


You should also do it on customer-facing ports not allowing anything to come 
in, but that would be best approached once Mikrotik and the per interface 
setting for unicast reverse path filtering. You would then said customer facing 
interfaces to strict and all other interfaces to loose. They accepted the 
feature request, just haven't implemented it yet. 




- 
Mike Hammett 

Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP 

- Original Message -

From: "Mike Hammett" <wispawirel...@ics-il.net> 
To: "WISPA General List" <wireless@wispa.org> 
Sent: Friday, October 21, 2016 11:23:24 AM 
Subject: [WISPA] Another Large DDoS, Stop Being a Dick 


There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks: 

https://www.caida.org/projects/spoofer/ 

Go to these pages for more longer term bad behavior monitoring: 

https://www.shadowserver.org/wiki/ 
https://radar.qrator.net/ 


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously. 




- 
Mike Hammett 

Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP 


___ 
Wireless mailing list 
Wireless@wispa.org 
http://lists.wispa.org/mailman/listinfo/wireless 


___ 
Wireless mailing list 
Wireless@wispa.org 
http://lists.wispa.org/mailman/listinfo/wireless 

___
Wireless mailing list
Wireless@wispa.org
http://lists.wispa.org/mailman/listinfo/wireless

Re: [WISPA] Another Large DDoS, Stop Being a Dick

2016-10-21 Thread Shawn C. Peppers

Im sick of the shit tooeveryone needs to start using upstream bgp 
communities properly and put an end to it.  If we all could just null a route 
all the way back to the originating ASN, problem would go away imho. 

Shawn C. Peppers
Video Direct Satellite & Entertainment
866-680-8433 Toll Free
480-287-9960 Fax
http://www.video-direct.tv

> On Oct 21, 2016, at 11:23 AM, Mike Hammett  wrote:
> 
> There's another large DDoS going on now. Go to this page to see if you can be 
> used for UDP amplification (or other spoofing) attacks:
> 
> https://www.caida.org/projects/spoofer/
> 
> Go to these pages for more longer term bad behavior monitoring:
> 
> https://www.shadowserver.org/wiki/
> https://radar.qrator.net/
> 
> 
> Maybe we need to start a database of ASNs WISPs are using and start naming 
> and shaming them when they have bad actors on their network. This is serious, 
> people. Take it seriously.
> 
> 
> 
> -
> Mike Hammett
> 
> Intelligent Computing Solutions
> 
> 
> Midwest Internet Exchange
> 
> 
> The Brothers WISP
> 
> ___
> Wireless mailing list
> Wireless@wispa.org
> http://lists.wispa.org/mailman/listinfo/wireless
___
Wireless mailing list
Wireless@wispa.org
http://lists.wispa.org/mailman/listinfo/wireless

[WISPA] Another Large DDoS, Stop Being a Dick

2016-10-21 Thread Mike Hammett

There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks: 

https://www.caida.org/projects/spoofer/ 

Go to these pages for more longer term bad behavior monitoring: 

https://www.shadowserver.org/wiki/ 
https://radar.qrator.net/ 


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously. 




- 
Mike Hammett 

Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP 

___
Wireless mailing list
Wireless@wispa.org
http://lists.wispa.org/mailman/listinfo/wireless

Re: [WISPA] Another Large DDoS, Stop Being a Dick

Re: [WISPA] Another Large DDoS, Stop Being a Dick

Re: [WISPA] Another Large DDoS, Stop Being a Dick

Re: [WISPA] Another Large DDoS, Stop Being a Dick

Re: [WISPA] Another Large DDoS, Stop Being a Dick

Re: [WISPA] Another Large DDoS, Stop Being a Dick

[WISPA] Another Large DDoS, Stop Being a Dick

7 matches

Site Navigation

Mail list logo

Footer information