I have been seeing malicious local broadcast traffic on the internet-facing interface of a few of our firewalls that appears to be coming from MikroTik routers that are infected with the Coinhive mining script that are looking for other MikroTik routers to infect (CVE-2018-14847). The traffic is broadcast traffic over UDP port 5678 (MikroTik Neighbor Discovery Protocol). Because we do not have any MikroTik routers in deployment we are not vulnerable to these attacks, however in the last three days there have been over 1.2 million session attempts against our firewalls. If this is left unaddressed we could potentially see degraded performance on these circuits.
I requested the following actions from our ISP at these sites:
- Patch any hardware on their network that is vulnerable to CVE-2018-14847.
- Get our connections at these sites converted to a /30 that will isolate us from these broadcasts.
Today I got a reply from one of the ISP's saying that they could put me on a /32, but not a /30... Here's their reply:
"On the option of a /30 we may be able to get you guys on a /32 but it would need to be on a different address range(we rarely use /30 due to how we have our sub nets split up. To make put your current address on a /32 we would have to break the current sub net and in turn would break multiple customers which is something I would avoid. If a /32 is something that you are interested in I can see what I can get approval on for you guys to get things in the works on that."
Huh? Is there something I don't understand about subnetting that is different for ISP's? My understanding of subnetting is that the smallest segment for a direct connection is a /30, which leaves two available IP addresses after you subtract one for the network address and one for the broadcast address. Someone please either blow my mind, or tell me that my ISP is high as a kite.
No comments:
Post a Comment