[Atlas-anchors-pilot] iDRAC cards are potential DDoS amplifiers

[john]

On 4/1/13 12:35 PM, Tore Anderson wrote:
> Hi,
> 
> Following the recent attacks on Spamhaus, our security guys did some
> scanning of our address space to look for potential DDoS amplifiers in
> our network. One of the things they found was the iDRAC port of
> no-osl-as39029, which happily responds to any SNMP v1/v2c queries using
> the "public" community.
> 
> I don't see any evidence of it having been abused for DDoS purposes in
> my bandwidth graphs to date, but still, this should be closed down. That
> probably goes for all the anchor boxes, not just ours.
Hello Tor,

Thanks for pointing this out.  I have taken a look and it appears there
are a couple of issues.  The first issues is the integrated idrac
firewall IPv6 support.   Unfortunately the current idrac cards can only
filter v4 traffic.  Some of the early anchors such no-osl-as39029 still
had an IPv6 address enabled which would not have been subject to
filtering.  Therefore you would have been able to contact the snmp
daemon on its v6 address.  I have now disabled IPv6 on all anchor idrac
interfaces :(.

The second issue seems to be a problem with the idrac been able to
filter at all.  A number of the anchors block tcp connections but do not
block snmp connections, even though they are configured in the same
manner as anchors which do block snmp.  I have sent an email to DELL
asking if they can explain this behaviour.  in the mean time i have
disabled snmp on the drac interface.

As to the general question of filtering.  We originally requested that
all interfaces be positioned in your network with no filtering on either
the idrac or the service lan.  However this is a pilot and given the
issues with the idrac's ability to filter, may need to change

Regards
John