Re: Gi Firewall for mobile subscribers

[Dovid Bender <dovid () telecurve com>]

I don't v6 stats yet but it would be interesting to see. I did a tcpdump on
one v6 IP and saw hundreds of requests to port 25.


On Wed, Apr 10, 2019 at 10:43 AM Ca By <cb.list6 () gmail com> wrote:

> On Wed, Apr 10, 2019 at 7:06 AM Dovid Bender <dovid () telecurve com> wrote:
>
> > I think the traffic Amos is referring to is random traffic hitting the
> > devices causing them to "wake up". Everyone here knows a simple dump on
> > port 22 will show traffic. We  have a /22 that gets an avg of 1-2 mbit of
> > random traffic (mainly 22 and 3389).
>
> I believe he was talking about ipv6.
>
> Does this backscatter happen in ipv6 given how impractical scanning ipv6
> is ?
>
>
>
> > On Wed, Apr 10, 2019 at 9:49 AM Ca By <cb.list6 () gmail com> wrote:
> >
> > > On Wed, Apr 10, 2019 at 6:23 AM Amos Rosenboim <amos () oasis-tech net>
> > > wrote:
> > >
> > > > Hello NANOG,
> > > >
> > > >
> > > >
> > > > We are discussing internally and wanted to get more opinions and
> > > > especially more data on what are people actually doing.
> > > >
> > > > We are running an ISP network with about 150K fixed broadband users,
> > > > running dual stack (IPv4 behind CGNAT).
> > > >
> > > > On the ISP network  IPv6 is simply routed, and is firewalled on the CPE.
> > > >
> > > >
> > > >
> > > > This network added mobile services about a year ago, also dual stack
> > > > (we have no control on the mobile devices so we were too concerned to
> > > > choose IPv6 only access).
> > > >
> > > > We have an ongoing discussion about Gi firewall (adding a firewall
> > > > between the subscribers and the internet, allowing only subscriber
> > > > initiated connections), for the IPv6 traffic.
> > > >
> > > >
> > > >
> > > > The firewall is doing very little security, the ruleset is very basic,
> > > > allowing anything from subscribers to the internet and blocking all traffic
> > > > from the internet towards the subscribers.
> > > >
> > > > We have a few rules to limit the number of connections per subscriber
> > > > (to a relatively high number) and that is it.
> > > >
> > > >
> > > >
> > > > One of the arguments in favor of having the firewall is that
> > > > unsolicited traffic from the internet can “wake” idle mobile devices, and
> > > > create signaling (paging) storms as well as drain user batteries.
> > > >
> > > >
> > > >
> > > > On the other hand, allowing only subscriber initiated traffic is mostly
> > > > achievable using ACLs on the mobile core facing routers, or is it with the
> > > > growing percentage of UDP traffic ?
> > > >
> > > >
> > > >
> > > > BTW – I don’t mention IPv4 traffic on the mobile network as it’s all
> > > > behind CGNAT which don’t allow internet initiated connections.
> > > >
> > > >
> > > >
> > > > Anyway, we are very interested to know hear more opinions,  and
> > > > especially to hear what are other mobile operators do.
> > > >
> > > >
> > > >
> > > > Regards
> > > >
> > > >
> > > >
> > > > Amos
> > >
> > > Step outside the theoretical and model your real threats. Attack
> > > yourself of pay someone to do a real pentest.
> > >
> > > 1. Does a hacker know the ipv6 of your subs? How frequently does the sub
> > > get a new 128 bit address?
> > >
> > > 2.  What does the hacker get from a paging storm?  Economic benefit ?
> > > Lolz? Has a malicious paging storm ever happened in the real world?  What
> > > level of effort would be required to trigger that?  Is that level of effort
> > > more or less than it would take to tip over a stateful firewall (session
> > > exhaustion, pps attack, alg bugs, vulns in the fw
> > >
> > > https://www.zdnet.com/article/cisco-removed-its-seventh-backdoor-account-this-year-and-thats-a-good-thing/
> > > )
> > >
> > > 3. Assuming the hacker gleans the address of the sub, what ports are
> > > open in the real world? What can a hacker connect to and accomplish?
> > >
> > >
> > >
> > > >