nanog mailing list archives
Re: UDP/123 policers & status
From: Harlan Stenn <stenn () nwtime org>
Date: Sat, 28 Mar 2020 15:58:09 -0700
On 3/28/2020 3:29 PM, Bottiger wrote:
but why isn't BCP 38 widely deployed? Because it costs time and money. People have been asking for it to be implemented for decades. It is never going to be deployed on every network.
So you are claiming BCP 38 has to be all or nothing? That there is *no* benefit to incremental deployment?
What fraction of the world does implement BCP 38? Not enough. Everyone has to use it for it to work. Otherwise the hackers will still find a network that doesn't have it.
I disagree. Enough people have to use it for it to work. And as more folks use it, there is increasing motivation for more folks to use it. As the number of deployments increases, one can assume (perhaps correctly) that it will become less expensive to deploy, and that additional measures will be found to help accomplish the same thing.
I'd also be interested in general background info on DDoS. Who is DDoS-ing whom and/or why? Is this gamers trying to get an advantage on a competitor? Bad guys making a test run to see if the server can be used for a real run? Most motivations for attacks can't be traced. But this is not just a gaming problem. It is used to extort businesses for money, destroy competitors, shutdown government critics, fame. Is DDoS software widely available on the dark web? You don't need the dark web. It is widely available on Github like most other attack types. https://github.com/search?q=ntp+ddos Broken protocols need to be removed and blacklisted at every edge. Pushing the responsibility to BCP38 is unrealistic.
The monlist attack was mitigated many years' ago. The problem is that too many folks don't upgrade their software.
On Mon, Mar 23, 2020 at 7:43 AM Hal Murray <hgm+nanog () ip-64-139-1-69 sjc megapath net <mailto:hgm%2Bnanog () ip-64-139-1-69 sjc megapath net>> wrote: Steven Sommars said: > The secure time transfer of NTS was designed to avoid amplification attacks.
Uh, no. If you understand what's going on from the perspective of both the client and the server and think about the various cases, I think you'll see what I mean. NTS is a task-specific hammer. -- Harlan Stenn <stenn () nwtime org> http://networktimefoundation.org - be a member!
Current thread:
- Re: UDP/123 policers & status, (continued)
- Re: UDP/123 policers & status Damian Menscher via NANOG (Mar 18)
- Re: UDP/123 policers & status Harlan Stenn (Mar 18)
- Re: UDP/123 policers & status Damian Menscher via NANOG (Mar 18)
- Re: UDP/123 policers & status Steven Sommars (Mar 19)
- Re: UDP/123 policers & status Ragnar Sundblad (Mar 27)
- Re: UDP/123 policers & status Saku Ytti (Mar 27)
- Re: UDP/123 policers & status Ragnar Sundblad (Mar 29)
- Re: UDP/123 policers & status Harlan Stenn (Mar 28)
- Re: UDP/123 policers & status Ragnar Sundblad (Mar 29)
- Re: UDP/123 policers & status Harlan Stenn (Mar 28)
- Re: UDP/123 policers & status Ragnar Sundblad (Mar 29)
- Re: UDP/123 policers & status Harlan Stenn (Mar 28)
- Re: UDP/123 policers & status Harlan Stenn (Mar 28)
- Re: UDP/123 policers & status Ragnar Sundblad (Mar 29)
- Re: UDP/123 policers & status Harlan Stenn (Mar 28)
- Re: UDP/123 policers & status Ragnar Sundblad (Mar 29)