Re: Thank you, Comcast.

- Original Message - > From: "Mike Hammett" > I think you'd be hard pressed to find more than a tenth of a percent of people > attempt to run their own DNS server. Some do because they think it'll be > better > in some way. Rare is the occasion where anything user

Re: Thank you, Comcast. (aka patch your D-Link gear)

--- jason_living...@comcast.com wrote: As noted last week we're ... Thank you for sharing this and all the other stuff over the years with the NANOG community. scott

Re: Thank you, Comcast. (aka patch your D-Link gear)

As a followup to this issue, and looking specifically at SSDP abuse (not the DNS amplification noted in the 1st email), one point of commonality we have identified in many customers is a D-Link device (range of different models). If you or someone you know uses a D-Link device, please see this

Re: Thank you, Comcast.

Sent: Saturday, February 27, 2016 7:07:04 AM Subject: Re: Thank you, Comcast. On Fri, Feb 26, 2016 at 07:21:04PM -0600, Mike Hammett wrote: > So we have people saying that blocking residential users from hosting > DNS servers is not really providing Internet service. Now we have peo

Re: Thank you, Comcast.

On Fri, Feb 26, 2016 at 07:21:04PM -0600, Mike Hammett wrote: > So we have people saying that blocking residential users from hosting > DNS servers is not really providing Internet service. Now we have people > saying it isn't service if it doesn't (more or less) completely work > in lynx.

RE: Thank you, Comcast.

uot;NANOG list" <nanog@nanog.org> > Sent: Friday, February 26, 2016 6:59:28 PM > Subject: RE: Thank you, Comcast. > > > The default configuration of IE (all versions), Firefox (all versions), > Edge (all versions) and Chrome (all versions) is a zero-security > configu

Re: Thank you, Comcast.

-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Keith Medcalf" <kmedc...@dessus.com> To: "NANOG list" <nanog@nanog.org> Sent: Friday, February 26, 2016 6:59:28 PM Subject: RE: Thank you, Comcast. The default configuration of

Re: Thank you, Comcast.

On 27 Feb 2016, at 8:06, Keith Medcalf wrote: Consumer Narrowband Access Networks use these protocols all the time. Most broadband access customers do not actively use these protocols, themselves, with the partial exception of SIP. --- Roland Dobbins

RE: Thank you, Comcast.

oun...@nanog.org] On Behalf Of Roland Dobbins > Sent: Friday, 26 February, 2016 10:55 > To: NANOG list > Subject: Re: Thank you, Comcast. > > On 26 Feb 2016, at 22:52, Jay Nugent wrote: > > >Customers regularly use various VPN protocols from GRE, SIT, and > > IPIP, mon

Re: Thank you, Comcast.

On 27 Feb 2016, at 7:59, John Levine wrote: I think that most if not all of the consumer over the top VoIP phones like Vonage use SIP. That's true. One would hope that they're not globally reachable, however. --- Roland Dobbins

Re: Thank you, Comcast.

>True, but how prevalent are 'bare' SIP phones vs. VoIP systems utilized >by remote workers via VPNs? Dunno, but I have two of them. I think that most if not all of the consumer over the top VoIP phones like Vonage use SIP. R's, John

RE: Thank you, Comcast.

; From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Hammett > Sent: Friday, February 26, 2016 10:01 AM > To: NANOG list > Subject: Re: Thank you, Comcast. > > Works fine on a default Chrome installation. *shrugs* > > > > > - > Mike Hammett &

Re: Thank you, Comcast.

On 27 Feb 2016, at 7:23, John Levine wrote: The VoIP phones sure use SIP. True, but how prevalent are 'bare' SIP phones vs. VoIP systems utilized by remote workers via VPNs? --- Roland Dobbins

Re: Thank you, Comcast.

>> A certain number of us work from home and connect to headquarters with >> a VPN. and have SIP phones, you know. > >Not typically via/requiring the protocols you mentioned. The VoIP phones sure use SIP. R's, John

Re: Thank you, Comcast.

On 27 Feb 2016, at 4:03, John Levine wrote: A certain number of us work from home and connect to headquarters with a VPN. and have SIP phones, you know. Not typically via/requiring the protocols you mentioned. --- Roland Dobbins

Re: Thank you, Comcast.

On 2/26/16 1:08 PM, Rich Kulawiec wrote: On Fri, Feb 26, 2016 at 10:16:33AM -0700, Brielle Bruns wrote: You can't do anything about idiots buying a pro-sumer/professional device like an EdgeRouter and misconfiguring it, but Linksys/Cisco, D-Link, Netgear, etc that are targeted towards home

Re: Thank you, Comcast.

>The difference in blocking any of the existing ports on your list and >blocking UDP/1900 is that the ports on your list are all registered >ports. Port 1900 is not registered - IANA is under the impression it's registered for SSDP. Do you have some reason to believe they're mistaken?

Re: Thank you, Comcast.

>>Customers regularly use various VPN protocols from GRE, SIT, and >> IPIP, monitoring protocols such as SNMP, as well as RTP and SIP (where >> we spend the bulk of our time troubleshooting). > >Not so on consumer broadband access networks, which are what's being >discussed in this thread.

Re: Thank you, Comcast.

11:47:43 To: Dovid B<do...@telecurve.com> Cc: Jared Mauch<ja...@puck.nether.net>; Jason Livingood<jason_living...@cable.comcast.com>; Mody, Nirmal<nirmal_m...@cable.comcast.com>; NANOG list<nanog@nanog.org> Subject: Re: Thank you, Comcast. "We all know...&

Re: Thank you, Comcast.

On Fri, Feb 26, 2016 at 10:16:33AM -0700, Brielle Bruns wrote: > You can't do anything about idiots buying a pro-sumer/professional > device like an EdgeRouter and misconfiguring it, but Linksys/Cisco, > D-Link, Netgear, etc that are targeted towards home users should be > held to the fire for

Re: Thank you, Comcast.

Blake Hudson wrote on 2/26/2016 2:01 PM: Livingood, Jason wrote on 2/26/2016 1:32 PM: On 2/26/16, 11:44 AM, "Blake Hudson" > wrote: Jason, how do you propose to block SSDP without also blocking legitimate traffic as well (since SSDP uses a port

Re: Thank you, Comcast.

Livingood, Jason wrote on 2/26/2016 1:32 PM: On 2/26/16, 11:44 AM, "Blake Hudson" > wrote: Jason, how do you propose to block SSDP without also blocking legitimate traffic as well (since SSDP uses a port > 1024 and is used as part of the

Re: Thank you, Comcast.

2016 08:02:52 > To: Jared Mauch<ja...@puck.nether.net>; Jason Livingood< > jason_living...@cable.comcast.com>; Mody, Nirmal< > nirmal_m...@cable.comcast.com> > Reply-To: Damian Menscher <dam...@google.com> > Cc: NANOG list<nanog@nanog.org> > Subject: Re: Tha

Consumer Equipment Sucks (Re: Thank you, Comcast.)

> On Feb 26, 2016, at 2:28 PM, Livingood, Jason > wrote: > > I think the bigger culprit is not the stuff ISPs buy but what consumers > buy (aka COAM). I’m certainly not a comcast apologist, (I do wish they would service the communities where they had their call

Re: Thank you, Comcast.

On 2/26/16, 11:44 AM, "Blake Hudson" > wrote: Jason, how do you propose to block SSDP without also blocking legitimate traffic as well (since SSDP uses a port > 1024 and is used as part of the ephemeral port range on some devices) ? As Roland suggested,

Re: Thank you, Comcast.

On 2/26/16, 12:33 PM, "NANOG on behalf of Octavio Alvarez" wrote: >On 26/02/16 09:16, Brielle Bruns wrote: >> Place the blame for local resolvers listening on WAN squarely where it >>belongs - the router vendors who make these

Re: Thank you, Comcast.

On 2/26/16 10:22 AM, Mike Hammett wrote: Said in a forum comprised largely of ISPs? Bold move. I appreciate the work the technical people here do, but doesn't change the fact that the people who call the shots aren't always on the same page or have the same goals as do the technical people.

Re: Thank you, Comcast.

On Fri, 26 Feb 2016 07:20:28 +0100 (CET) Mikael Abrahamsson wrote: > I know historically there were resolvers that used UDP/53 as source > port for queries, but is this the case nowadays? Empirically from what I've observed, much less than there once was. Looking at a sample

Re: Thank you, Comcast.

, 26 Feb 2016 10:16:33 To: <nanog@nanog.org> Subject: Re: Thank you, Comcast. On 2/26/16 10:02 AM, Chris Adams wrote: >> >> Except that half the time people run their own DNS resolvers because >> their provider's resolvers are > > Resolver != authoritative server. Your

Re: Thank you, Comcast.

Disconnecting the US isn’t a viable solution. > On Feb 26, 2016, at 1:48 PM, Dovid Bender wrote: > > We all know what countries this traffic is coming from. While you can > threaten the local ISP's the ones over seas where the traffic is coming from > won't care.

Re: Thank you, Comcast.

On Fri, 26 Feb 2016 10:52:55 -0500, Jay Nugent said: > However, if a 'provider' wishes to block ANYTHING, then they need to > inform the customer IN WRITING exactly what will be blocked so that > customer doesn't waste their time and money with said (limited) service > and vote with their

Re: Thank you, Comcast.

g-boun...@nanog.org>Date: Fri, 26 Feb 2016 08:02:52 To: Jared Mauch<ja...@puck.nether.net>; Jason Livingood<jason_living...@cable.comcast.com>; Mody, Nirmal<nirmal_m...@cable.comcast.com> Reply-To: Damian Menscher <dam...@google.com> Cc: NANOG list<nanog@nanog.org&

Re: Thank you, Comcast.

On Fri, Feb 26, 2016 at 12:17:32PM -0500, Rich Kulawiec wrote: > On Fri, Feb 26, 2016 at 08:55:20AM -0700, Keith Medcalf wrote: > > On Friday, 26 February, 2016 08:13, jason_living...@comcast.com said: > > > http://customer.xfinity.com/help-and-support/internet/list-of-blocked- > > > ports/ > > >

Re: Thank you, Comcast.

> On Feb 26, 2016, at 12:42 PM, John Levine wrote: > > Huh. Is it 1998 again? More like NANOG again. - jared

Re: Thank you, Comcast.

On 26 Feb 2016, at 22:52, Jay Nugent wrote: Customers regularly use various VPN protocols from GRE, SIT, and IPIP, monitoring protocols such as SNMP, as well as RTP and SIP (where we spend the bulk of our time troubleshooting). Not so on consumer broadband access networks, which are

Re: Thank you, Comcast.

On 27 Feb 2016, at 0:25, Anthony Junk wrote: There is so much arrogance in these posts saying that these things should be blocked because it's best or because it's negligible. I think there's a lack of comprehension on the part of those who don't run large networks and/or who aren't

Re: Thank you, Comcast.

In article you write: >ISP's should block nothing, to or from the customer, unless they make it clear >*before* selling the service (and include it in the Terms and >Conditions of Service Contract), that they are not selling an Internet

Re: Thank you, Comcast.

Once upon a time, Brielle Bruns said: > UDP is a fun protocol - stateless, so blocking a DST of 53/UDP to > the customer also will block responses to recursive queries that > originate from SRC 53/UDP. Connection tracking sorta makes it > stateful to a point, but it can get ugly

Re: Thank you, Comcast.

On 26/02/16 09:16, Brielle Bruns wrote: > Place the blame for local resolvers listening on WAN squarely where it > belongs - the router vendors who make these devices. As long as ISPs massively buy crappy hardware pieces, vendors will make them and sell them. That's how it works. Best regards.

Re: Thank you, Comcast.

On 27 Feb 2016, at 0:16, Brielle Bruns wrote: You can't do anything about idiots buying a pro-sumer/professional device like an EdgeRouter and misconfiguring it, but Linksys/Cisco, D-Link, Netgear, etc that are targeted towards home users should be held to the fire for that kind of screw up.

RE: Thank you, Comcast.

016 07:19 To: Mikael Abrahamsson Cc: NANOG list Subject: Re: Thank you, Comcast. I agree, At the very least things like SNMP/NTP should be blocked. I mean how many people actually run a legit NTP server out of their home? Dozens? And the people who run SNMP devices with the default/common communi

Re: Thank you, Comcast.

On 27 Feb 2016, at 0:16, Brielle Bruns wrote: UDP is a fun protocol - stateless, so blocking a DST of 53/UDP to the customer also will block responses to recursive queries that originate from SRC 53/UDP. Which are relatively rare, these days. Any device doing this by default is likely

Re: Thank you, Comcast.

day, February 26, 2016 11:09:03 AM Subject: Re: Thank you, Comcast. On 2/26/16 10:01 AM, Mike Hammett wrote: > They have to be honest or face litigation. Transparency is the biggest (if > not the only) useful thing out of the Open Internet Order. As long as the profit from doing

Re: Thank you, Comcast.

On Fri, Feb 26, 2016 at 11:04:49AM -0500, Curtis Maurand wrote: > I run my own resolver from behind my firewall at my home. I don't > allow incoming port 53 traffic. I realize there's not a lot of > privacy on the net, but I don't like having my dns queries tracked > in order to target

Re: Thank you, Comcast.

There is so much arrogance in these posts saying that these things should be blocked because it's best or because it's negligible. The point of having an open internet is that people are going to have use cases that you haven't even thought of and should not be hindered. Even the reasons you have

RE: Thank you, Comcast.

I don't have a problem with an ISP blocking certain things by default as long as they identify them like Comcast has done especially for consumer service. It would be nice if there was a way to opt out of the protection for the few people that need those services either through a web interface

Re: Thank you, Comcast.

On Fri, Feb 26, 2016 at 08:55:20AM -0700, Keith Medcalf wrote: > > On Friday, 26 February, 2016 08:13, jason_living...@comcast.com said: > > > FWIW, Comcast's list of blocked ports is at > > http://customer.xfinity.com/help-and-support/internet/list-of-blocked- > > ports/. The suspensions this

Re: Thank you, Comcast.

On 2/26/16 10:02 AM, Chris Adams wrote: Except that half the time people run their own DNS resolvers because their provider's resolvers are Resolver != authoritative server. Your local DNS resolver doesn't need to be (and should not be) listening to port 53 on the Internet. Only DNS

RE: Thank you, Comcast.

Sent: Friday, February 26, 2016 10:01 AM To: NANOG list Subject: Re: Thank you, Comcast. Works fine on a default Chrome installation. *shrugs* - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From

Re: Thank you, Comcast.

On 2/26/16 10:01 AM, Mike Hammett wrote: They have to be honest or face litigation. Transparency is the biggest (if not the only) useful thing out of the Open Internet Order. As long as the profit from doing shady things and lying is greater then the cost of settling a lawsuit, companies

Re: Thank you, Comcast.

nanog.org Sent: Friday, February 26, 2016 10:47:55 AM Subject: Re: Thank you, Comcast. I disagree...the point of what I sent (missed by some) is that in just this small audience there are many that do/have/know about customers that run their own stuff. Trying to blow it off, or minim

Re: Thank you, Comcast.

Once upon a time, Brielle Bruns said: > >I'm fine with that. Residential customers shouldn't be running DNS > >servers anyway and as far as the outside resolvers to go, e... I > >see the case for OpenDNS given that you can use it to filter (though > >that's easily bypassed),

Re: Thank you, Comcast.

: "Brielle Bruns" <br...@2mbit.com> To: "Mike Hammett" <na...@ics-il.net> Cc: nanog@nanog.org Sent: Friday, February 26, 2016 10:46:27 AM Subject: Re: Thank you, Comcast. On 2/26/16 9:15 AM, Mike Hammett wrote: > I think you'd be hard pressed to find more tha

Re: Thank you, Comcast.

On 26 Feb 2016, at 23:44, Blake Hudson wrote: Jason, how do you propose to block SSDP without also blocking legitimate traffic as well (since SSDP uses a port > 1024 and is used as part of the ephemeral port range on some devices) ? I'm not Jason, but blocking specific port-pairs such as

Re: Thank you, Comcast.

.midwest-ix.com > > - Original Message - > > From: "Brielle Bruns" <br...@2mbit.com> > To: nanog@nanog.org > Sent: Friday, February 26, 2016 9:56:40 AM > Subject: Re: Thank you, Comcast. > >> On 2/26/16 6:27 AM, Mike Hammett wrote: >&

Re: Thank you, Comcast.

On 2/26/16 9:15 AM, Mike Hammett wrote: I think you'd be hard pressed to find more than a tenth of a percent of people attempt to run their own DNS server. Some do because they think it'll be better in some way. Rare is the occasion where anything user configured would outperform a local DNS

Re: Thank you, Comcast.

Livingood, Jason wrote on 2/26/2016 9:12 AM: FWIW, Comcast's list of blocked ports is at http://customer.xfinity.com/help-and-support/internet/list-of-blocked-ports/. The suspensions this week are in direct response to reported abuse from amplification attacks, which we obviously take very

Re: Thank you, Comcast.

On 26 Feb 2016, at 23:15, Mike Hammett wrote: I think you'd be hard pressed to find more than a tenth of a percent of people attempt to run their own DNS server. You'll find a heck of a lot more of them doing so unknowingly, because they're running misconfigured, abusable CPE devices which

Re: Thank you, Comcast.

On 26 Feb 2016, at 23:02, Damian Menscher via NANOG wrote: What I'd much rather see Comcast do is use their netflow to trace the source of the spoofed packets (one of their peers or transit providers, no doubt) and strongly encourage (using their legal or PR team as needed) them to trace

Re: Thank you, Comcast.

no form of trickery. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Brielle Bruns" <br...@2mbit.com> To: nanog@nanog.org Sent: Friday, February 26, 2016 9:56:40 AM Subjec

Re: Thank you, Comcast.

I run my own resolver from behind my firewall at my home. I don't allow incoming port 53 traffic. I realize there's not a lot of privacy on the net, but I don't like having my dns queries tracked in order to target advertising at me and for annoying failed queries to end up at some

Re: Thank you, Comcast.

On Fri, Feb 26, 2016 at 6:28 AM, Jared Mauch wrote: > As a community we need to determine if this background radiation and these > responses are proper. I think it's a good response since vendors can't do > uRPF at line rate and the major purchasers of BCM switches don't

Re: Thank you, Comcast.

On 2/26/16 7:31 AM, Keith Medcalf wrote: ISP's should block nothing, to or from the customer, unless they make it clear*before* selling the service (and include it in the Terms and Conditions of Service Contract), that they are not selling an Internet connection but are selling a partially

Re: Thank you, Comcast.

Thats not really a fair comparison, I think a lot of people have issues with people censoring/controlling/prioritizing internet access to make money. Its a somewhat more nuanced conversation when you are talking about doing the same thing to prevent abuse. Cheers, Max > On Feb 26, 2016, at

RE: Thank you, Comcast.

On Feb 26, 2016 8:34 AM, "Keith Medcalf" wrote: > > > ISP's should block nothing, to or from the customer, unless they make it clear *before* selling the service (and include it in the Terms and Conditions of Service Contract), that they are not selling an Internet connection

Re: Thank you, Comcast.

uot; <nanog@nanog.org> Cc: "Nirmal Mody" <nirmal_m...@cable.comcast.com> Sent: Friday, February 26, 2016 9:55:20 AM Subject: RE: Thank you, Comcast. On Friday, 26 February, 2016 08:13, jason_living...@comcast.com said: > FWIW, Comcast's list of blocked ports is at > http

Re: Thank you, Comcast.

On 2/26/16 6:27 AM, Mike Hammett wrote: "you will also block legitimate return traffic if the customers run their own DNS servers or use opendns / google dns / etc." I'm fine with that. Residential customers shouldn't be running DNS servers anyway and as far as the outside resolvers to go,

RE: Thank you, Comcast.

ruary, 2016 07:19 > To: Mikael Abrahamsson > Cc: NANOG list > Subject: Re: Thank you, Comcast. > I agree, > At the very least things like SNMP/NTP should be blocked. I > mean how many > people

Re: Thank you, Comcast.

icing/Congestion policies, inbound and outbound > > Some ISPs are good at this and provide opt-in/out methods for at least the > first three on the list. Others not so much. > >> -Original Message- >> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Maxwell Cole >> Se

Re: Thank you, Comcast.

> On Feb 26, 2016, at 06:31, Keith Medcalf wrote: > > ISP's should block nothing, to or from the customer, unless they make it > clear *before* selling the service (and include it in the Terms and > Conditions of Service Contract), that they are not selling an Internet >

Re: Thank you, Comcast.

: "Keith Medcalf" <kmedc...@dessus.com> To: "NANOG list" <nanog@nanog.org> Sent: Friday, February 26, 2016 8:31:47 AM Subject: RE: Thank you, Comcast. ISP's should block nothing, to or from the customer, unless they make it clear *before* selling the serv

Re: Thank you, Comcast.

he list. Others not so much. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Maxwell Cole Sent: Friday, 26 February, 2016 07:19 To: Mikael Abrahamsson Cc: NANOG list Subject: Re: Thank you, Comcast. I agree, At the very least things like SNMP/NTP should be blo

Re: Thank you, Comcast.

On 2/26/16, 8:27 AM, "NANOG on behalf of Mike Hammett" wrote: >"you will also block legitimate return traffic if the >customers run their own DNS servers or use opendns / google dns / etc." > >I'm fine with that. Residential customers

Re: Thank you, Comcast.

And you¹d be correct (about SSDP). ;-) - Jason (Comcast) On 2/25/16, 10:52 PM, "NANOG on behalf of Paras Jha" wrote: >It's interesting that they'd call about DNS amplification... You don't >typically see DNS amplified floods

RE: Thank you, Comcast.

Behalf Of Maxwell Cole > Sent: Friday, 26 February, 2016 07:19 > To: Mikael Abrahamsson > Cc: NANOG list > Subject: Re: Thank you, Comcast. > > I agree, > > At the very least things like SNMP/NTP should be blocked. I mean how many > people actually run a legit NTP server out of the

Re: Thank you, Comcast.

Most of the NTP hosts have been remediated or blocked. Using QoS to set a cap of the amount of SNMP and DNS traffic is a fair response IMHO. Some carriers eg: 7018 block chargen wholesale across their network. We haven't taken that step but it's also something I'm not opposed to. As a

Re: Thank you, Comcast.

I agree, At the very least things like SNMP/NTP should be blocked. I mean how many people actually run a legit NTP server out of their home? Dozens? And the people who run SNMP devices with the default/common communities aren’t the ones using it. If the argument is that you need a Business

Re: Thank you, Comcast.

Dovid Bender" <do...@telecurve.com> To: "Mike Hammett" <na...@ics-il.net>, "NANOG" <nanog-boun...@nanog.org> Cc: "NANOG list" <nanog@nanog.org> Sent: Friday, February 26, 2016 7:32:09 AM Subject: Re: Thank you, Comcast. I had a client

Re: Thank you, Comcast.

On Fri, 26 Feb 2016, Nick Hilliard wrote: Traffic from dns-spoofing attacks generally has src port = 53 and dst port = random. If you block packets with udp src port=53 towards customers, you will also block legitimate return traffic if the customers run their own DNS servers or use opendns

Re: Thank you, Comcast.

On 26 Feb 2016, at 20:17, Nick Hilliard wrote: If you block packets with udp src port=53 towards customers, you will also block legitimate return traffic if the customers run their own DNS servers or use opendns / google dns / etc. Actually, what they're talking about is blocking packets

Re: Thank you, Comcast.

On Thursday, February 25, 2016, Mike Hammett wrote: > I know. It seems odd, doesn't it? > > They're actually suspending people's accounts for DNS amplification. My > aunt got a call about it tonight. I had already firewalled that off on her > router before they called, but

Re: Thank you, Comcast.

Date: Fri, 26 Feb 2016 07:27:50 Cc: NANOG list<nanog@nanog.org> Subject: Re: Thank you, Comcast. "you will also block legitimate return traffic if the customers run their own DNS servers or use opendns / google dns / etc." I'm fine with that. Residential customers shouldn't be

Re: Thank you, Comcast.

oobar.org> To: "Mikael Abrahamsson" <swm...@swm.pp.se> Cc: "NANOG list" <nanog@nanog.org> Sent: Friday, February 26, 2016 7:17:30 AM Subject: Re: Thank you, Comcast. Mikael Abrahamsson wrote: > Why isn't UDP/53 blocked towards customers? I know histori

Re: Thank you, Comcast.

Mikael Abrahamsson wrote: > Why isn't UDP/53 blocked towards customers? I know historically there > were resolvers that used UDP/53 as source port for queries, but is this > the case nowadays? > > I know providers that have blocked UDP/53 towards customers as a > countermeasure to the

Re: Thank you, Comcast.

quot;Jared Mauch" <ja...@puck.nether.net> Cc: "NANOG list" <nanog@nanog.org> Sent: Friday, February 26, 2016 12:20:28 AM Subject: Re: Thank you, Comcast. On Thu, 25 Feb 2016, Jared Mauch wrote: > Make sure you permit TCP/53 for DNS queries so if TC=1 lookups wor

Re: Thank you, Comcast.

Totally agree. It's silly that my home lab has to cost me 5x the normal rate if I want to use some of the standard ports but that is normal now. On Fri, Feb 26, 2016 at 12:27 AM, Mark Andrews wrote: > > In message , Mikael >

Re: Thank you, Comcast.

In message , Mikael Abrah amsson writes: > On Thu, 25 Feb 2016, Jared Mauch wrote: > > > Make sure you permit TCP/53 for DNS queries so if TC=1 lookups work. > > Speaking of which, historically ISPs have been blocking TCP/135, TCP/445 > and

Re: Thank you, Comcast.

On Thu, 25 Feb 2016, Jared Mauch wrote: Make sure you permit TCP/53 for DNS queries so if TC=1 lookups work. Speaking of which, historically ISPs have been blocking TCP/135, TCP/445 and a few others towards customers (at least that's what I know). TCP/25 seems to be blocked as well. Why

Re: Thank you, Comcast.

SSDP, DNS and other amplification is a big issue for large consumer networks like Comcast. This is something I’m hoping other vendors take seriously (eg: Netgear) when it comes to their usage of DNSMASQ and other tools on-box and iptables configs that promote spoofing by using IP ranges vs

Re: Thank you, Comcast.

On 26 Feb 2016, at 10:52, Paras Jha wrote: You don't typically see DNS amplified floods coming from home ISPs. Actually, it's quite common, as a lot of CPE have abusable DNS forwarders running on their public interfaces. DNS, SSDP, and SNMP reflection/amplification quite commonly emanate

Re: Thank you, Comcast.

It's interesting that they'd call about DNS amplification... You don't typically see DNS amplified floods coming from home ISPs. I would imagine SSDP amplification is a far greater issue for any home ISP. On Thu, Feb 25, 2016 at 10:46 PM, Mike Hammett wrote: > I know. It seems

Re: Thank you Comcast

+ Redmond, WA. Good job guys. mehmet On Apr 17, 2014, at 7:28 PM, Michael T. Voity mvo...@uvm.edu wrote: To the Comcast v6 Team, Thank you for enabling my CMTS for v6 in Colchester, VT Works great! Thanks, -Mike Michael T. Voity Network Engineer University of Vermont

Re: Thank you Comcast

Please don't reply to a message on the list and change the subject line. Doing so causes your new topic to show under the previous one for those using mail readers that thread properly, and may cause your message to be missed altogether if someone has blocked that thread. Instead, save the