[Pool] defending against DDoS attacks

Rob Janssen rob at knoware.nl
Sat Feb 22 19:22:27 UTC 2014


Mouse wrote:
>>> These problems tend to go away when you disable monlist [...]
>> Are other commands not also amplifiers (to a somewhat lesser degree):
> Yes.
>
> That's one reason it annoys me to see people claiming that disabling
> monlist fixes the problem: at most, it refuses to tolerate the
> (currently) most popular exploitation of the problem.  It doesn't
> actually _fix_ anything.
>

The problem has to be fixed by the exclusion of all providers that allow source
address spoofing.   That is the only thing that will fix it, as the bad guys are now
moving from amplifying attacks to simple bounce attacks even without amplification.
And we cannot filter and disable all protocols that make a reply to a request.
(these days there are a lot of "TCP SYN (spoofed addr) -> www server from port
80/443/119 to port 80" going around)

So, a new campaign like the one that went after the open SMTP relays has to be
started.  Blacklisting of providers that do not do source address filtering, to force
them to implement it on their networks or else they will be isolated from internet.
In the end, we'll have a cleaner internet.  One where a source address actually
tells who sent the packet.

Unfortunately, the bad guys will probably find a new way to annoy the world.

Rob


More information about the pool mailing list