[Pool] BCP38 and mitigating NTP DDoS attacks

Rob Janssen rob at knoware.nl
Tue Feb 11 18:35:32 UTC 2014


Jim Reid wrote:
>
>> I propose that the existance of an ISP without source address filtering is handled by
>> a reputation system similar to what was brought in place to bring down open SMTP relays,
>> another thing that was once a common practice and that needed to be shut down
>> because they were being abused by miscreants.
>
> Widespread uptake of source address filtering is just not going to happen.
Wasn't that claimed in the days of the open SMTP relay as well?
Yet, the problem was resolved.
> Here's a straw-man suggestion. NTP over TCP would be the only option for public time servers on the Internet.
That will not be enough.   TCP is used in reflection attacks now. It has no amplification, but it can still be used for reflection.
I saw an attempted attack on webservers where they just send spoofed SYN with source and destination port 80 and hope
for a flood of SYN ACK to the victim.
Really, the only thing that can be done is end the spoofing.   The protocols itself are always vulnerable when they send
some form of reply, and they always will.
>> Just disconnect every provider that refuses to set up source address filtering until
>> they give in.  No source address filtering?  No traffic from you. Period.
> I wonder just how long that will last when your boss can't get to his/her favourite web site with kitten pictures. :-)
Bosses got disconnected from e-mail because their company ran an open relay.
That made the system operators fix the open relay.
This should also work when they are part of a network that allows spoofing.   Fix the problem and you are on again.
>
> It would be great if Facebook or google did source address filtering/validation. That would provide a huge incentive to ISPs to get their act together wrt BCP38. But suppose you're in charge at Facebook. Why would you do something that pisses off your customers, puts customer support into meltdown and upsets the advertisers whenever huge numbers of end users get cut off because they're on ISPs who can't or won't do source address filtering/validation any time soon?
It would be a bonus when you are never affected by a reflection DDOS.   Maybe not for Facebook, but for a bank or government site
it would be good for their reputation.
When users found their mail was getting dropped because their provider did not care about closing the open SMTP relay, it was
similarly fixed before all customers ran out.   That should be possible.
Today's users understand that security and hackers are a problem on the internet, and countermeasures are required.

Rob


More information about the pool mailing list