Re: chargen is the new DDoS tool?

["Ricky Beam" <jfbeam () gmail com>]

On Tue, 11 Jun 2013 19:57:17 -0400, Majdi S. Abbas <msa () latt net> wrote:
>         You've never worked for one, have you?

Indeed I have. Which is why I haven't for a great many years.  Academics  
tend to be, well, academic. That is, rather far out of touch with the  
realities of running / securing a network.  I've used the work  
"incompotent" in previous conversations, but that's mostly a factor of  
overwork in an environment where few people are ever fired for such.

>         Guess what, they have /16s, they use them, and they like
> the ability to print from one side of campus to the other.  Are you
> suggesting gigantic NATs with 120,000 students and faculty behind them?

Guess what, there are companies that have /8's, and they manage to keep  
their network(s) reasonably secured.  I'm not talking about uber-large  
NAT; I'm talking about proper boundry security.  If you cannot figure out  
how to keep the internet away from your printers, you should look into  
other lines of employment.  Limiting access of the residential network  
into the departmental networks, is one of the first things in the design  
of a res-net. Otherwise, there's 25k potential script kiddies (or infected  
home computers now on your network) waiting to attack everything on  
campus. But we're headed into the weeds here...

>         I have a hard time blaming a school for this.  I have an easy
> time wondering why printer manufacturers are including chargen support
> in firmware.

I have the same bewilderment about people allowing such unsolicited  
traffic into their network(s) in the first place.  Even with IPv6 (where  
there's no NAT forcing the issue), I run a default deny policy... if  
nothing asked for it, it doesn't get in.

Also, why the hell aren't providers not doing anything to limit  
spoofing?!? I'll staring right at you AT&T (former Bellsouth.)

--Ricky