10 Oct
2015
10 Oct
'15
3:15 p.m.
Rob;
On Sat, 2015-10-10 at 21:06 +0200, Rob Janssen wrote:
Please MAKE SURE that you block all incoming SNMP
traffic from internet to amprnet!
(especially when you are using community names like "public")
Of course I have that filtered.
The bad guys use SNMP as an attack amplifier.
One time I moved a switch to another address and it became exposed, and within 3 days I
had an abuse report.
Now I have a general rule that drops all SNMP at our gateway.
That's what I do here, drop all SNMP out however it doesn't prevent the
incoming floods of frames. You have to actually receive them in order to
drop them... like amps need to pass 100% through a fuse/breaker to blow
it.
I found the source host and it's been halted. The device was a firewall
of all things.
(of course the real problem is the ISPs that refuse to
implement BCP38, source address filtering)
In this case, the ISP was behind granting their client permission to
attack. Nice policy eh? Reason: *I* was not their paying customer.
I could pursue negligence if I wanted to push the issue.
--
Dolphins are so smart that within a few weeks of captivity, they
can train people to stand on the very edge of the pool and throw them
fish.
73 de Brian - N1URO
email: (see above)
Web: http://www.n1uro.net/
Ampr1: http://n1uro.ampr.org/
Ampr2: http://nos.n1uro.ampr.org
Linux Amateur Radio Services
axMail-Fax & URONode
http://uronode.sourceforge.net
http://axmail.sourceforge.net
AmprNet coordinator for:
Connecticut, Delaware, Maine,
Maryland, Massachusetts,
New Hampshire, Pennsylvania,
Rhode Island, and Vermont.