[Pool] defending against DDoS attacks

AlbyVA albyva at empire.org
Sun Feb 23 10:51:56 UTC 2014


 When it comes to BCP38, it's easier said than done. If you have a small
network with a handful of IP space,
BCP38 is easy to implement. Nothing hard about a filter which drops all
traffic if the source address isn't from
your allocated network pool. So if every "end user" implemented BCP38, the
world would be a better place.

 On the ISP front, it's a completely different story. They aren't the end
user, they are the transit provider.
All of their customers have either space provided by the ISP as well as
direct RIR allocates or allocations
from other ISPs. The man hours involved in keeping such a filter updated
are enormous and expensive.
So when folks point fingers at ISPs to be the anti-spoofing police, I'd
say, "don't hold your breath".

 On that note, there is a developing certification process which could
automate the verification of who owns
what address space so that BCP38 by ISPs becomes a more viable solution.
That process is called
Resource Public Key Infrastructure (RPKI). (
https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure)
RPKI allows for a type of identification saying, "Only I can originate this
network space". This would allow
ISPs to better implement BCP38, because they would no longer have to do a
manual validation check to see
if 93.186.32.0/20 was really allocated to rfc1035.net.

 In any case, spoofing is only a part of the battle against DDoS Attacks.
Compromised web servers waiting
for instructions on what target address to hit aren't thwarted by BCP38
(See: Brobot - Operation Ababil).
It's more likely that you can get folks to fix NTP Monlist config issues
than a zillion end users and providers to
implement anti-spoofing measures. So far there has been a decline in open
NTP servers answering monlist
queries from 1.5/million to 500,000 over the last few months. Reducing the
pool of servers that can be
used for malicious intent is likely to have a much more immediate effect
than calls for ISPs and end users
to police address origination of every packet.

NOTES:
http://www.nanog.org/sites/default/files/wednesday.general-lt.gilmore.ntpreflection.pdf

Date          Responding Servers
=======================
1-10-2014: 1,529,866
1-17-2014: 1,402,569
1-24-2014: 803,156
1-31-2014: 564,027
2-07-2014: 490.724




On Fri, Feb 21, 2014 at 8:27 PM, Sanjeev Gupta <ghane0 at gmail.com> wrote:

> On Fri, Feb 21, 2014 at 6:15 PM, Jim Reid <ntp-pool at rfc1035.net> wrote:
>
> > Your ISP should be deploying source address filtering/validation at their
> > edge routers. Though they probably don't: good luck getting them to
> change.
>
>
> _Their_ ISP needs to do this, not yours.  Your ISP sees a valid destination
> address (yours), and a valid source address (the Internet).  Spoofed
> packets need to be checked while _leaving_ a network.
>
> --
> Sanjeev Gupta
> +65 98551208     http://www.linkedin.com/in/ghane
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool
>


More information about the pool mailing list