[168759] in North American Network Operators' Group
Re: TWC (AS11351) blocking all NTP?
daemon@ATHENA.MIT.EDU (Laszlo Hanyecz)
Tue Feb 4 14:07:43 2014
From: Laszlo Hanyecz <laszlo@heliacal.net>
In-Reply-To: <CAP-guGX=BC+PR51ycCVshY7QowbO9ykjoW1Pkvcva5WndnSr+A@mail.gmail.com>
Date: Tue, 4 Feb 2014 19:01:51 +0000
To: William Herrin <bill@herrin.us>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I was joking, I meant that the operator provides an API for attackers, =
so they can accomplish their goal of taking the customer offline, =
without having to spoof or flood or whatever else. Automatically =
installing ACLs in response to observed flows accomplishes almost the =
same thing. As a concrete example, say a customer is running a game =
server that utilizes UDP port 12345. An attacker sends a large flow to =
customer:12345 and your switches and routers all start filtering =
anything with destination customer:12345, for say 2 hours. Then the =
attacker can just repeat in 2 hours and send only a few seconds worth of =
flooding each time.
On Feb 4, 2014, at 6:52 PM, William Herrin <bill@herrin.us> wrote:
> On Tue, Feb 4, 2014 at 1:45 PM, Laszlo Hanyecz <laszlo@heliacal.net> =
wrote:
>> Why not just provide a public API that lets users specify which
>> of your customers they want to null route?
>=20
> They're spoofed packets. There's no way for anyone outside your AS to
> know which of your customers the packets came from. It's not
> particularly easy to trace inside your AS either.
>=20
> Regards,
> Bill Herrin
>=20
>=20
>=20
> --=20
> William D. Herrin ................ herrin@dirtside.com bill@herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
