nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TWC (AS11351) blocking all NTP?

From: Laszlo Hanyecz <laszlo () heliacal net>
Date: Tue, 4 Feb 2014 19:01:51 +0000
I was joking, I meant that the operator provides an API for attackers, so they can accomplish their goal of taking the 
customer offline, without having to spoof or flood or whatever else.  Automatically installing ACLs in response to 
observed flows accomplishes almost the same thing.  As a concrete example, say a customer is running a game server that 
utilizes UDP port 12345.  An attacker sends a large flow to customer:12345 and your switches and routers all start 
filtering anything with destination customer:12345, for say 2 hours.  Then the attacker can just repeat in 2 hours and 
send only a few seconds worth of flooding each time.

On Feb 4, 2014, at 6:52 PM, William Herrin <bill () herrin us> wrote:


On Tue, Feb 4, 2014 at 1:45 PM, Laszlo Hanyecz <laszlo () heliacal net> wrote:

Why not just provide a public API that lets users specify which
of your customers they want to null route?


They're spoofed packets. There's no way for anyone outside your AS to
know which of your customers the packets came from. It's not
particularly easy to trace inside your AS either.

Regards,
Bill Herrin



-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
Previous By Date Next
Previous By Thread Next

Current thread: