[168753] in North American Network Operators' Group
Re: TWC (AS11351) blocking all NTP?
daemon@ATHENA.MIT.EDU (Laszlo Hanyecz)
Tue Feb 4 13:45:52 2014
From: Laszlo Hanyecz <laszlo@heliacal.net>
In-Reply-To: <CAB8g2zyiZk0+HmRX1zWfQJym=uo0B0S4fhfov0nKOwG0jNMnoA@mail.gmail.com>
Date: Tue, 4 Feb 2014 18:45:24 +0000
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Why not just provide a public API that lets users specify which of your =
customers they want to null route? It would save operators the trouble =
of having to detect the flows.. and you can sell premium access that =
allows the API user to null route all your other customers at once.
Once everyone implements these awesome flow detectors it will just take =
short bursts of flooding to DoS their customers. If you can detect them =
in less than a second, it might not even show up on any interface =
graphs. I think this is already the case at a lot of VPS and hosting =
providers, since they're such popular sources as well as targets.
I don't know what, if anything, is the answer to these problems, but =
building complex auto-filtering contraptions is not it. Filtering NTP =
or UDP or any other specific application will just break things more, =
which is the goal of a 'denial of service' attack. Eventually =
everything will just be stuffed into TCP port 80 packets and the arms =
race will continue.
The recent abuse of NTP is unfortunate, but it will get fixed. I just =
wonder if UDP will have to be tunneled inside HTTP by then.
Laszlo
