nanog mailing list archives

Re: SNMP DDoS: the vulnerability you might not know you have

From: Larry Sheldon <LarrySheldon () cox net>
Date: Wed, 31 Jul 2013 17:50:18 -0500

On 7/31/2013 4:29 PM, Blake Dunlap wrote:

It works better to fix the design issues than to play whack a mole
by blocking every imaginable service to your customers that responds
to the public with data larger than a FIN. Like getting their
providers to more proactively police their spew, manufactures to stop
making negligent devices, or implementing more intelligent filter
communication so the only option doesn't begin with calling your
provider and asking them over the phone to block X ip for you since
you're off the internet.

Maybe even look into liability laws for allowing said attacks to
originate from your customers and not doing anything about it, or
being manufacturer of said devices that harm others through their
lack of due diligence implementing proper security. It's still way
more effective than trying to fix the *last instance* of the problem,
instead of it's reasons for enduring as an issue at a global scale.

The first time I became a pariah on NANOG was for postulating preciselythat view--that if the originators of problems would stop, we would nothave to figure out how to clean up after them. But I am past that nowand out of work.

But it does occur to me for the first time that I can recall, that maybethe tremendous efforts to Get Control Of The Intertubes could besuckered into doing some good, say be establishing a certificationauthority to test and certify the safety of designs (is Scott B?????still around) and devise a way to not permit traffic from uncertifieddevices or configurations.

But after years of research I will tell you that there is no way to stopan avalanche once it has been released at the source.

--
Requiescas in pace o email           Two identifying characteristics
                                        of System Administrators:
Ex turpi causa non oritur actio      Infallibility, and the ability to
                                        learn from their mistakes.
                                          (Adapted from Stephen Pinker)

Current thread:

Re: SNMP DDoS: the vulnerability you might not know you have, (continued)
- Re: SNMP DDoS: the vulnerability you might not know you have Blake Dunlap (Jul 31)
  - Re: SNMP DDoS: the vulnerability you might not know you have Thomas St-Pierre (Jul 31)
    - Re: SNMP DDoS: the vulnerability you might not know you have Blake Dunlap (Jul 31)
    - RE: SNMP DDoS: the vulnerability you might not know you have James Braunegg (Jul 31)
    - Re: SNMP DDoS: the vulnerability you might not know you have bottiger (Jul 31)
    - Re: SNMP DDoS: the vulnerability you might not know you have Warren Bailey (Jul 31)
    - Re: SNMP DDoS: the vulnerability you might not know you have Dobbins, Roland (Jul 31)
    - Re: SNMP DDoS: the vulnerability you might not know you have Blake Dunlap (Jul 31)
    - Re: SNMP DDoS: the vulnerability you might not know you have bottiger (Jul 31)
    - Re: SNMP DDoS: the vulnerability you might not know you have Jimmy Hess (Jul 31)
    - Message not available
    - Re: SNMP DDoS: the vulnerability you might not know you have Larry Sheldon (Jul 31)
    - Re: SNMP DDoS: the vulnerability you might not know you have Ricky Beam (Jul 31)
    - Re: SNMP DDoS: the vulnerability you might not know you have Enno Rey (Jul 31)
- Re: SNMP DDoS: the vulnerability you might not know you have Livingood, Jason (Jul 31)
  - Re: SNMP DDoS: the vulnerability you might not know you have Warren Bailey (Jul 31)