nanog mailing list archives

Re: Can we not just fix it? WAS:Re: Open Resolver Problems

From: Saku Ytti <saku () ytti fi>
Date: Thu, 28 Mar 2013 11:58:41 +0200

On (2013-03-27 22:27 -1000), David Conrad wrote:

One of the largest DDoS attacks I've witnessed was SNMP-based, walking entire OID sub-trees (with spoofed source 
addresses) across thousands of CPEs that defaulted to allowing SNMP queries over the WAN interface. "Oops". Topped 
out around 70 Gbps if I remember correctly. No DNS involved.


Wonderful data point. Services are not the problem. Open recursors are not
the problem, there are millions of them, and even if we close all of them,
attack vector remains almost identically the same, as due to DNSSEC it's
easy to find large RR in authorative servers.

I think most everyone is missing the key notion that BCP38 does not need to
be deployed my millions. 

Most people are NOT doing ACL filtering towards their transit customers,
Tier1<->Tier2 cannot do it (strict IRR is not practical). Tier2<->Tier3 can
do it, and should do it.
We have about 6000 tier2 networks that we need to fix to make spooffing
attack vectors impractical. It's entirely doable if we can agree that ACL
towards your transit customer is BCP and start
approaching/educating/helping (github scripts to do it automatically for
your JunOS, IOS, TimOS, IOS-XR...) these 6000 networks.


-- 
  ++ytti

Current thread:

Re: Open Resolver Problems, (continued)
- - - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Joe Abley (Mar 27)
    - Re: Open Resolver Problems Valdis . Kletnieks (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Owen DeLong (Mar 27)
    - Re: Open Resolver Problems Marco Davids (Mar 27)
    - Re: Open Resolver Problems Jared Mauch (Mar 27)
    - Re: Open Resolver Problems Joe Abley (Mar 27)
    - Can we not just fix it? WAS:Re: Open Resolver Problems Michael DeMan (Mar 28)
    - Re: Can we not just fix it? WAS:Re: Open Resolver Problems David Conrad (Mar 28)
    - Re: Can we not just fix it? WAS:Re: Open Resolver Problems Saku Ytti (Mar 28)
    - Re: Open Resolver Problems Ben Aitchison (Mar 28)
    - Re: Open Resolver Problems Jimmy Hess (Mar 29)
    - Re: Open Resolver Problems Mark Andrews (Mar 29)
    - Re: Open Resolver Problems Joe Greco (Mar 29)
    - Re: Open Resolver Problems Dobbins, Roland (Mar 29)
    - Re: Open Resolver Problems Joe Greco (Mar 29)
    - Re: Open Resolver Problems Doug Barton (Mar 29)
    - Re: Open Resolver Problems Masataka Ohta (Mar 29)
    - Re: Open Resolver Problems Jared Mauch (Mar 26)
    - Re: Open Resolver Problems Valdis . Kletnieks (Mar 26)

(Thread continues...)