nanog mailing list archives
Re: ddos attack blog
From: John <jschiel () flowtools net>
Date: Fri, 14 Feb 2014 11:51:21 -0700
On 02/13/2014 06:01 PM, Jared Mauch wrote:
On Feb 13, 2014, at 1:47 PM, John <jschiel () flowtools net> wrote:
<snip>
I was being a bit extreme, I don't expect UDP to be blocked and there are valid uses for NTP and it needs to pass. Can you imagine the trading servers not having access to NTP?UDP won't be blocked. There are some vendors that have their own hidden protocol inside UDP packets to control and communicate with their devices. Thinking on it again, maybe blocking UDP isn't all that bad. Would force the vendors to not 'hide' their protocol. Be careful what you wish for. I know some people have just blocked all NTP to keep their servers from participating in attacks. This is common in places where they hand off a VM/host to a customer and no longer have access despite it being in their environment.
The knee jerk reaction to just block NTP is a temporary measure that can be used while other mitigation steps are implemented.
I kinda hijacked the NTP issue a bit and expanded it to cover the undocumented uses of device control in UDP. I'll leave that issue for another day, just wanted to raise awareness if it was not already known.
--John
I would actually like to ask for those folks to un-block NTP so there is proper data on the number of hosts for those researching this. The right thing to do is reconfigure them. I've seen a good trend line in NTP servers being fixed, and hope we will see more of that in the next few weeks. I've seen maybe 100-200 per-ASN reports handed out to network operators. If you want yours, please e-mail ntp-scan () puck nether net to obtain it. Put your ASN in the subject line and/or body. - Jared (and others like Patrick that presented on the projects behalf).
Current thread:
- Re: ddos attack blog, (continued)
- Re: ddos attack blog John (Feb 13)
- Re: ddos attack blog Jared Mauch (Feb 13)
- Re: ddos attack blog Mark Tinka (Feb 14)
- Re: ddos attack blog Wayne E Bouchard (Feb 14)
- Permitting spoofed traffic [Was: Re: ddos attack blog] Paul Ferguson (Feb 14)
- Re: Permitting spoofed traffic [Was: Re: ddos attack blog] Joe Provo (Feb 14)
- Re: Permitting spoofed traffic [Was: Re: ddos attack blog] Paul Ferguson (Feb 14)
- Re: Permitting spoofed traffic [Was: Re: ddos attack blog] Jeff Kell (Feb 14)
- Re: ddos attack blog Jared Mauch (Feb 13)
- Re: ddos attack blog John (Feb 13)
- Message not available
- Re: Permitting spoofed traffic [Was: Re: ddos attack blog] Larry Sheldon (Feb 14)
- Re: Permitting spoofed traffic [Was: Re: ddos attack blog] Paul Ferguson (Feb 14)
- Re: ddos attack blog John (Feb 14)
- Re: ddos attack blog joel jaeggli (Feb 14)