nanog mailing list archives
Re: TWC (AS11351) blocking all NTP?
From: Matthew Petach <mpetach () netflight com>
Date: Sun, 2 Feb 2014 14:49:49 -0800
On Sun, Feb 2, 2014 at 2:17 PM, Cb B <cb.list6 () gmail com> wrote:
On Feb 2, 2014 8:35 AM, "Jonathan Towne" <jtowne () slic com> wrote:The provider has kindly acknowledged that there is an issue, and are working on a resolution. Heads up, it may be more than just my region.And not just your provider, everyone is dealing with UDP amp attacks. These UDP based amp attacks are off the charts. Wholesale blocking of traffic at the protocol level to mitigate 10s to 100s of gigs of ddos traffic is not "knee jerk", it is the right thing to do in a world where bcp 38 is far from universal and open dns servers, ntp, chargen, and whatever udp 172 is run wild. People who run networks know what it takes to restore service. And increasingly, that will be clamping ipv4 UDP in the plumbing, both reactively and proactively.
Please note that it's not that UDP is at fault here; it's applications that are structured to respond to small input packets with large responses. If NTP responded to a single query with a single equivalently sized response, its effectiveness as a DDoS attack would be zero; with zero amplification, the volume of attack traffic would be exactly equivalent to the volume of spoofed traffic the originator could send out in the first place. I agree the source obfuscation aspect of UDP can be annoying, from the spoofing perspective, but that really needs to be recognized to be separate from the volume amplification aspect, which is an application level issue, not a protocol level issue. Thanks! Matt PS--yes, I know it would completely change the dynamics of the internet as we know it today to shift to a 1:1 correspondence between input requests and output replies...but it *would* have a nice side effect of balancing out traffic ratios in many places, altering the settlement landscape in the process. ;)
Current thread:
- Re: TWC (AS11351) blocking all NTP?, (continued)
- Re: TWC (AS11351) blocking all NTP? Dobbins, Roland (Feb 02)
- Re: TWC (AS11351) blocking all NTP? Michael DeMan (Feb 02)
- Re: TWC (AS11351) blocking all NTP? Dobbins, Roland (Feb 02)
- Re: TWC (AS11351) blocking all NTP? John Kristoff (Feb 03)
- Re: TWC (AS11351) blocking all NTP? Dobbins, Roland (Feb 03)
- Re: TWC (AS11351) blocking all NTP? John Levine (Feb 03)
- Re: TWC (AS11351) blocking all NTP? Valdis . Kletnieks (Feb 03)
- Re: TWC (AS11351) blocking all NTP? Livingood, Jason (Feb 03)
- Re: TWC (AS11351) blocking all NTP? Jared Mauch (Feb 03)
- Re: TWC (AS11351) blocking all NTP? Matthew Petach (Feb 02)
- Re: TWC (AS11351) blocking all NTP? Cb B (Feb 02)
- Re: TWC (AS11351) blocking all NTP? ryangard (Feb 02)
- Re: TWC (AS11351) blocking all NTP? TGLASSEY (Feb 03)
- Re: TWC (AS11351) blocking all NTP? Valdis . Kletnieks (Feb 03)
- Re: TWC (AS11351) blocking all NTP? TGLASSEY (Feb 03)
- Re: TWC (AS11351) blocking all NTP? Valdis . Kletnieks (Feb 03)