[168285] in North American Network Operators' Group
Re: "trivial" changes to DNS (was: OpenNTPProject.org)
daemon@ATHENA.MIT.EDU (Cb B)
Thu Jan 16 20:21:25 2014
In-Reply-To: <20140117010328.6CD0ED2C0E5@rock.dv.isc.org>
Date: Thu, 16 Jan 2014 17:20:01 -0800
From: Cb B <cb.list6@gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 16, 2014 5:10 PM, "Mark Andrews" <marka@isc.org> wrote:
>
>
> In message <
CAAAwwbVJKEok-ydwEQd4cowJ9qAAtbC8mKqwNXrsud55+H9ZEw@mail.gmail.com>
> , Jimmy Hess writes:
> > On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews <marka@isc.org> wrote:
> >
> > > We don't need to change transport, we don't need to port knock. We
> > > just need to implementent a slightly modified dns cookies which
> > > reminds me that I need to review Donald Eastlake's new draft to be.
> > >
> >
> > But a change to DNS doesn't solve the problem for the other thousand or
so
> > UDP-based protocols.
>
> What thousand protocols? There really are very few protocols widely
> deployed on top of UDP.
>
> > What would your fix be for the Chargen and SNMP protocols?
>
> Chargen is turned off on many platforms by default. Turn it off
> on more. Chargen loops are detectable.
>
Somebody has it on.
I can confirm multi gb/s size chargen attacks going on regularly.
I agree. More chargen off, more bcp 38, but ...yeh.. chargen is a big
problem here and now
CB
> SNMP doesn't need to be open to the entire world. It's not like
> authoritative DNS servers which are offering a service to everyone.
>
> New UDP based protocols need to think about how to handle spoof
> traffic.
>
> You look at providing extending routing protocols to provide
> information about the legitimate source addresses that may be emitted
> over a link. SIDR should help here with authentication of the data.
> This will enable better automatic filtering to be deployed.
>
> You continue to deploy BCP38. Every site that deploys BCD is one
> less site where owened machines can be used to launch attacks from.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
>
