Re: "trivial" changes to DNS (was: OpenNTPProject.org)

[Cb B <cb.list6 () gmail com>]

On Jan 16, 2014 5:10 PM, "Mark Andrews" <marka () isc org> wrote:
> In message <
CAAAwwbVJKEok-ydwEQd4cowJ9qAAtbC8mKqwNXrsud55+H9ZEw () mail gmail com>
> , Jimmy Hess writes:
> > On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews <marka () isc org> wrote:
> >
> > > We don't need to change transport, we don't need to port knock.  We
> > > just need to implementent a slightly modified dns cookies which
> > > reminds me that I need to review Donald Eastlake's new draft to be.
> >
> > But a change to DNS doesn't solve the problem for the other thousand or
so
> > UDP-based protocols.
>
> What thousand protocols?  There really are very few protocols widely
> deployed on top of UDP.
>
> > What would your fix be for the Chargen and SNMP protocols?
>
> Chargen is turned off on many platforms by default.  Turn it off
> on more.  Chargen loops are detectable.

Somebody has it on.

I can confirm multi gb/s size chargen attacks going on regularly.

I agree. More chargen off, more bcp 38, but ...yeh.. chargen is a big
problem here and now

CB

> SNMP doesn't need to be open to the entire world.  It's not like
> authoritative DNS servers which are offering a service to everyone.
>
> New UDP based protocols need to think about how to handle spoof
> traffic.
>
> You look at providing extending routing protocols to provide
> information about the legitimate source addresses that may be emitted
> over a link.  SIDR should help here with authentication of the data.
> This will enable better automatic filtering to be deployed.
>
> You continue to deploy BCP38.  Every site that deploys BCD is one
> less site where owened machines can be used to launch attacks from.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka () isc org