[ntp:hackers] i think it's time to review ntp's default acl's
hmurray at suespammers.org
Thu Mar 23 22:18:52 UTC 2006
> isc is under significant pressure from the world community to change
> the default in BIND to be "do not answer queries from off-LAN
> sources", due to the now widespread use of DNS as a reflector/
> amplifier of spoofed-source DDoS attacks.
DNS and NTP are just the tip of the iceberg, and I think it's a huge one.
Could somebody give me a lesson in the big picture? (URL would be great.)
Are we going to have to give up on UDP because it's easily abused by bad guys?
Is it possible to get routers to drop packets with forged source addresses?
I assume there are both technical and social/political issues. I don't know
if it's reasonable to solve either.
For NTP, it seems possible to allow access only by previous arrangements.
The administrative overhead would probably eliminate public servers as they
are currently used. That would encourage/require ISPs to setup NTP servers
for their customers.
The suespammers.org mail server is located in California. So are all my
other mailboxes. Please do not send unsolicited bulk e-mail or unsolicited
commercial e-mail to my suespammers.org address or any of my other addresses.
These are my opinions, not necessarily my employer's. I hate spam.
More information about the hackers