Re: TWC (AS11351) blocking all NTP?

[Peter Phaal <peter.phaal () gmail com>]

Why burn the village when only one house is the problem? I thought
there might be some interest in hearing about work being done to use
SDN to automatically configure filtering in existing switches and
routers to mitigate flood attacks.

Real-time analytics based on measurements from switches/routers
(sFlow/PSAMP/IPFIX) can identify large UDP flows and integrated hybrid
OpenFlow, I2RS, REST, NETCONF APIs, etc. can be used to program the
switches/routers to selectively filter traffic based on UDP port and
IP source / destination. By deploying a DDoS mitigation SDN
application,  providers can use their existing infrastructure to
protect their own and their customers networks from flood attacks, and
generate additional revenue by delivering flood protection as a value
added service.

https://datatracker.ietf.org/doc/draft-krishnan-i2rs-large-flow-use-case/
http://events.linuxfoundation.org/sites/events/files/slides/flow-aware-real-time-sdn-analytics-odl-summit-v2.pdf

Specifically looking at sFlow, large flood attacks can be detected
within a second. The following article describes a simple example
using integrated hybrid OpenFlow in a 10/40G ToR switch:

http://blog.sflow.com/2014/01/physical-switch-hybrid-openflow-example.html

The example can be modified to target NTP mon_getlist requests and
responses using the following sFlow-RT flow definition:

{'ipdestination,udpsourceport',value:'ntppvtbytes',filter:'ntppvtreq=20,42'}

or to target DNS ANY requests:

{keys:'ipdestination,udpsourceport',value:'frames',filter:'dnsqr=true&dnsqtype=255'}

The OpenFlow block control can be modified to selectively filter UDP
traffic based on the identified UDP source port and destination IP
address.

Vendors are adding new SDN capabilities to their platforms (often as
software upgraded), so it's worth taking a look and seeing what is
possible.

Peter

On Sun, Feb 2, 2014 at 7:38 PM, Larry Sheldon <LarrySheldon () cox net> wrote:
> On 2/2/2014 9:17 PM, ryangard () gmail com wrote:
> > I'd hate to think that NetOps would be so heavy handed in blocking
> > all of UDP, as this would essentially halt quite a bit of audio/video
> > traffic. That being said, there's still quite the need for protocol
> > improvement when making use of UDP, but blocking UDP as a whole is
> > definitely not a resolution, and simply creating a wall that not only
> > keeps the abusive traffic out, but keeps legitimate traffic from
> > flowing freely as it should.
>
>
> "We had to burn down the village to save it."
>
>
> --
> Requiescas in pace o email           Two identifying characteristics
>                                         of System Administrators:
> Ex turpi causa non oritur actio      Infallibility, and the ability to
>                                         learn from their mistakes.
>                                           (Adapted from Stephen Pinker)