Theme

Welcome · log in · join

Search similar:

Forums → O Canada! → Canadian →

Ebox → Port 53 UDP incoming to be blocked 1 January 2016

uniqs
2347

« Looking to switch from Bell FTTH to EBox (FTTN or Cable?) • [Cable] Internet extrèmement lent ce matin »

diskace Retired Premium Member join:2002-02-21	diskace Premium Member 2015-Nov-30 3:59 pm Port 53 UDP incoming to be blocked 1 January 2016 Hi guys, just a heads up as of 1 January 2016 we will be blocking port 53 UDP on the inbound side due to security reasons. If you have static IPs with Ebox, your ports will be open (SMTP 25 and UDP DNS 53) but if you are on Cable or DSL DHCP you must move to static if you are running DNS servers. This is due to the fact too many end users are running open and Recursive dns servers and are part of the not so recent dns amplification problem. Thank you for your comprehension. Bonjour ,veuillez noter qu'à partir du 1ier Janvier 2016 le port 53 UDP entrant sera bloqué pour des raisons de sécurité. Si vous avez des ips statiques, ce port va demeurer ouvert (tout comme le port smtp 25) mais si vous êtes sur le câble our le DSL via DHCP vous devez upgradé sur du statique pour continuer à rouler des serveurs DNS. Ceci est le résultat d'un problème d'amplification dns présent sur le réseau et qui est causé par des serveurs dns ouvert qui acceptent le recursive et causent le problème. Comme le problème est grandissant et pose un risque pour la sécurité du réseau nous allons appliquer ces changements rapidement afin de réduire ce problème. Vous avez donc jusqu'au 1ier Janvier 2016 pour faire les changements. Merci de votre compréhension.
	· actions · 2015-Nov-30 3:59 pm ·

EyEvil join:2014-08-18 Longueuil, QC	EyEvil Member 2015-Nov-30 7:44 pm Et avec vCable on ne peut pas avoir d'adresse statique. Et je ne vais pas changer pour DSL, je ne l'ai pas fait dans les 15 dernières années. Sinon merci de l'information. P.S. Peux-tu spécifier si cCable et rCable ont droit à des adresses statiques?
	· actions · 2015-Nov-30 7:44 pm ·
interweb join:2008-03-21	interweb Member 2015-Nov-30 7:47 pm said by EyEvil: Et avec vCable on ne peut pas avoir d'adresse statique. Et je ne vais pas changer pour DSL, je ne l'ai pas fait dans les 15 dernières années. Sinon merci de l'information. P.S. Peux-tu spécifier si cCable et rCable ont droit à des adresses statiques? Malheureusement il n'est pas possible d'avoir des adresse static sur le Cable.
	· actions · 2015-Nov-30 7:47 pm ·
Curious Moi @videotron.ca	Curious Moi to diskace Anon 2015-Dec-1 8:46 am to diskace Does it affect the Ebox network as a whole? Is the Ebox network that fragile? Will the blocking of incoming UDP port 53 make the Ebox network more stable? If the answer is no, then why should Ebox be the port police? Is having incoming port 53 open some sort of crime that needs to end? Thanks for the reply.
	· actions · 2015-Dec-1 8:46 am ·
sbrook Mod join:2001-12-14 Ottawa	sbrook Mod 2015-Dec-1 8:56 am »www.us-cert.gov/ncas/ale ··· A13-088A DNS DDoS attacks can cripple even large networks.
	· actions · 2015-Dec-1 8:56 am ·
Curious Moi @videotron.ca	Curious Moi Anon 2015-Dec-1 11:27 am I'm aware of the DNS amplification attacks. However, this is the first I notice a wholesaler port block due to this (I could be wrong though). Why not do some sort of response rate limiting on port 53, if possible, instead of going just going all out in blocking it. The amplification attack can also use smnp and nntp ports, why not block those as well on everyone? The bottom line question is, why is ebox blocking it? Are they being affected by it? It seems not if they allow it on static IP's. So it seems weird to me.
	· actions · 2015-Dec-1 11:27 am ·
sbrook Mod join:2001-12-14 Ottawa	sbrook Mod 2015-Dec-1 11:36 am Yes other ports/services could be used, but the most common is 53/DNS ... Blocking is by far the simplest mechanism for effective control where rate limiting is far more complex. And by and large very few people will be impacted by this.
	· actions · 2015-Dec-1 11:36 am ·
interweb join:2008-03-21	interweb to diskace Member 2015-Dec-1 11:56 am to diskace Ebox receives hundreds of complaints pers days about open recursive servers. Attackers use customers open server to attack. Then the target attack the customers... For a time we tried to contact users but 99 % of the time, customers are not aware of the recursive dns server running on their computer. So it is really time consuming and cause a lot of complaints from others network and issue for ebox customers. To be honest i don't think it is a good idea to run a DNS server on a dynamic address...
	· actions · 2015-Dec-1 11:56 am ·
dns53blk @rogers.com	dns53blk to Curious Moi Anon 2015-Dec-1 5:22 pm to Curious Moi said by Curious Moi : I'm aware of the DNS amplification attacks. However, this is the first I notice a wholesaler port block due to this (I could be wrong though). Why not do some sort of response rate limiting on port 53, if possible, instead of going just going all out in blocking it. The amplification attack can also use smnp and nntp ports, why not block those as well on everyone? The bottom line question is, why is ebox blocking it? Are they being affected by it? It seems not if they allow it on static IP's. So it seems weird to me. They are not the first wholesaler to block 53/UDP on dynamic IPs, most recent memory Teksavvy blocked it over a year ago. 53/UDP is a particular concern since a very large number of consumer routers reply recursively to DNS by default, often forwarding the query to the ISPs DNS server first, doubling the number of impacted parties. SNMP and UPnP services are more rarely enabled wan-side so it is a lesser problem. In order to preserve integrity of their DNS servers, as well as minimize abuse complaints and overhead to manage them vis a vis their customerbase, blocking UDP/53 becomes an inevitable need. Much like TCP/25 was almost 20 years ago.
	· actions · 2015-Dec-1 5:22 pm ·
Curious Moi @videotron.ca	Curious Moi to interweb Anon 2015-Dec-1 7:05 pm to interweb TY for taking the time to explain your side of things. Makes sense I guess.
	· actions · 2015-Dec-1 7:05 pm ·
eviljafar join:2007-04-10 Montreal, QC	eviljafar to diskace Member 2015-Dec-2 11:05 am to diskace Does this mean I won't be able to use a DNS server other than ebox? Will manually configuring 8.8.8.8 no longer work for my devices?
	· actions · 2015-Dec-2 11:05 am ·
HoTiCE join:2008-10-10 H3M	HoTiCE Member 2015-Dec-2 12:41 pm said by eviljafar: Does this mean I won't be able to use a DNS server other than ebox? Will manually configuring 8.8.8.8 no longer work for my devices? No this will not affect DNS servers that EBOX customers wishes to use
	· actions · 2015-Dec-2 12:41 pm ·
PBusque @electronicbox.net	PBusque Anon 2016-Jan-6 9:39 pm Just great. I moved away from Videotron because they were blocking port left and right (25, 21, 80, etc). With port starting to get blocked all over again, I may have to consider looking elsewhere if that goes on. Especially if the client is not considered important enough to be warned of the lost of service.
	· actions · 2016-Jan-6 9:39 pm ·
sbrook Mod join:2001-12-14 Ottawa	sbrook Mod 2016-Jan-6 10:14 pm You will find that ALL ISPs will be doing this.
	· actions · 2016-Jan-6 10:14 pm ·
smogers @start.ca	smogers to PBusque Anon 2016-Jan-6 10:16 pm to PBusque said by PBusque : Just great. I moved away from Videotron because they were blocking port left and right (25, 21, 80, etc). With port starting to get blocked all over again, I may have to consider looking elsewhere if that goes on. Especially if the client is not considered important enough to be warned of the lost of service. Most if not all ISP's block port 53 and 25 now. It is not a loss of service
	· actions · 2016-Jan-6 10:16 pm ·
Lebon14 join:2009-08-05 Canada ·EBOX	Lebon14 to PBusque Member 2016-Jan-6 11:19 pm to PBusque said by PBusque : Just great. I moved away from Videotron because they were blocking port left and right (25, 21, 80, etc). With port starting to get blocked all over again, I may have to consider looking elsewhere if that goes on. Especially if the client is not considered important enough to be warned of the lost of service. You know, you should just have a business internet connection instead. Oh wait, you don't have a business so you can't suscribe. Then why not use the so many other ports available out of the 65535 total?
	· actions · 2016-Jan-6 11:19 pm ·
diskace Retired Premium Member join:2002-02-21	diskace Premium Member 2016-Jan-7 10:25 am Ports are unblocked if you take a static IP with us. This is only available on DSL / FTTN at the moment (residential or business)
	· actions · 2016-Jan-7 10:25 am ·
pbusque join:2016-01-07 Saint-Amable, QC	pbusque to Lebon14 Member 2016-Jan-7 5:54 pm to Lebon14 said by Lebon14: You know, you should just have a business internet connection instead. Oh wait, you don't have a business so you can't suscribe. Then why not use the so many other ports available out of the 65535 total? I would go business if I could, since the pricing seem to be identical. Except, well, no business. And no, I can't use another port. It's a public port, and public port are defined by CONVENTIONS. Would I use any other port, no system would recognized it. You can't put a port when you define a name server definition. So 1053, 2053, etc will never work. The same goes with mail port and such, which I too find ridiculous to block. People will spam with outgoing connection, not incoming....
	· actions · 2016-Jan-7 5:54 pm ·
pbusque	pbusque to diskace Member 2016-Jan-7 5:57 pm to diskace Which is the issue. Cable here. Still waiting for the "feature" on cable. Been years we've waited for static IP and nothing has changed.
	· actions · 2016-Jan-7 5:57 pm ·
diskace Retired Premium Member join:2002-02-21	diskace Premium Member 2016-Jan-7 6:06 pm Then you need business dedicated fiber where you can do that kind of stuff. We do provide such service but generally it start around 500 $/month +
	· actions · 2016-Jan-7 6:06 pm ·
sbrook Mod join:2001-12-14 Ottawa	sbrook to pbusque Mod 2016-Jan-7 6:08 pm to pbusque You won't get static IPs on cable ... the whole cable infrastructure using DHCP is designed for dynamic IPs in mind. The reason for blocking incoming connections is because mailservers set up on home networks are often poorly managed and all too often permit relaying to people within the ISPs network (which usually doesn't block SMTP ... they're blocked at the boundary).
	· actions · 2016-Jan-7 6:08 pm ·
linus join:2015-11-10 Canada	linus to diskace Member 2016-Jan-8 1:12 pm to diskace An alternative would be running it on a VPS. They're cheap, has a static IP, doesn't block ports, and the connection is much faster. I use DigitalOcean, their $5 per month gives me 1TB cap and that is only for upload. Hosting offsite is normally better too since you don't have to worry about your home connection getting suspended due to abuse.
	· actions · 2016-Jan-8 1:12 pm ·
Dunlop join:2011-07-13	Dunlop to PBusque Member 2016-Jan-8 10:43 pm to PBusque said by PBusque : Just great. I moved away from Videotron because they were blocking port left and right (25, 21, 80, etc). With port starting to get blocked all over again, I may have to consider looking elsewhere if that goes on. Especially if the client is not considered important enough to be warned of the lost of service. Wouldn't blocking port 80 negate web access? I'm a paper pusher now so maybe my technical knowledge is horribly inaccurate lol
	· actions · 2016-Jan-8 10:43 pm ·
linus join:2015-11-10 Canada	linus Member 2016-Jan-8 11:04 pm said by Dunlop: said by PBusque : Just great. I moved away from Videotron because they were blocking port left and right (25, 21, 80, etc). With port starting to get blocked all over again, I may have to consider looking elsewhere if that goes on. Especially if the client is not considered important enough to be warned of the lost of service. Wouldn't blocking port 80 negate web access? I'm a paper pusher now so maybe my technical knowledge is horribly inaccurate lol Yes, blocking outbound port 80 would block web access, but, what the ISPs are doing is blocking inbound ports only. The port blocking is done in the ISPs firewall to only block unsolicited traffic that is being sent to a user of the ISP, not from. Once a TCP connection is established, it can communicate in and out until it is terminated.
	· actions · 2016-Jan-8 11:04 pm ·
Dunlop join:2011-07-13	Dunlop Member 2016-Jan-8 11:23 pm thanks for clearing that up for me ; )
	· actions · 2016-Jan-8 11:23 pm ·

Forums → O Canada! → Canadian → Ebox	« Looking to switch from Bell FTTH to EBox (FTTN or Cable?) • [Cable] Internet extrèmement lent ce matin »