[Pool] BBC News article about NTP...

Rob Janssen rob at knoware.nl
Tue Feb 11 17:44:19 UTC 2014

Mouse wrote:
> I propose that the existance of an ISP without source address
> filtering is handled by a reputation system similar to what was
> brought in place to bring down open SMTP relays, [...]
> Unfortunately it is more difficult because the offender is much harder
> for the victim to identify.  Suppose, for example, that I get a packet
> with ip_src forged to  How can I IDP that sender, even
> just for me?  I can't.  I can't even tell the difference between two
> senders in different places forging such traffic to me.  I have to get
> my upstream to push it to _their_ upstream, etc, until reaching an
> offender.  But with open SMTP relays, I can reject the traffic without
> needing help from my upstream.

I know that it is harder, but not impossible.
It would be possible for transit providers to stamp any packet that has not been
suitably filtered.   E.g. setting the "evil bit" that was once subject of an april fools
day RFC.  Any packet accepted from a party that is known not to filter gets the
"evil bit" set, and anyone (provider or end system) willing to take on the battle will
just drop any packets with the "evil bit" set.  Similar to a percentage of systems no
longer prepared to accept mail from systems on a list of known open relays.

Once enough percentage of the internet is dropping this traffic, there will be an
incentive for the ISP to clean up his systems and gets his traffic routed without
evil bit.

Another option would be to have "IP route recording", an option available in IP but
rarely used anymore, revitalized.  When major transit providers enforce the insertion of
route recording options in anything routed, it will be much easier to find where
malicious traffic originates, and arrange for that source to be cut off the internet.

Unfortunately the insertion of a route recording packet increases its size and therefore
introduces the known problems with smaller than 1500 MTU.   It could be done for
a percentage of traffic, or triggered by certain conditions (e.g. traffic coming in from
another source than the destination of traffic to the same address).


More information about the pool mailing list