[169110] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: ddos attack blog

daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Feb 13 20:02:03 2014

From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <52FD1359.4020909@flowtools.net>
Date: Thu, 13 Feb 2014 20:01:27 -0500
To: John <jschiel@flowtools.net>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org


On Feb 13, 2014, at 1:47 PM, John <jschiel@flowtools.net> wrote:

> On 02/13/2014 10:06 AM, Cb B wrote:
>> Good write up, includes name and shame for AT&T Wireless, IIJ, OVH,
>> DTAG and others
>>=20
>> =
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplific=
ation-ddos-attack
>>=20
>> Standard plug for http://openntpproject.org/ and
>> http://openresolverproject.org/ and bcp38 , please fix/help.
>>=20
>> For those of you paying attention to the outage list, this is a =
pretty
>> big deal that has had daily ramification for some very big networks
>> https://puck.nether.net/pipermail/outages/2014-February/date.html
>>=20
>> In general, i think UDP is doomed to be blocked and rate limited --
>> tragedy of the commons.  But, it would be nice if folks would just =
fix
>> the root of the issue so the rest of us don't have go there...
>=20
> UDP won't be blocked. There are some vendors that have their own =
hidden protocol inside UDP packets to control and communicate with their =
devices.
>=20
> Thinking on it again, maybe blocking UDP isn't all that bad. Would =
force the vendors to not 'hide' their protocol.
>=20

Be careful what you wish for.  I know some people have just blocked all =
NTP to keep their servers from participating in attacks.  This is common =
in places where they hand off a VM/host to a customer and no longer have =
access despite it being in their environment.

I would actually like to ask for those folks to un-block NTP so there is =
proper data on the number of hosts for those researching this.  The =
right thing to do is reconfigure them.  I've seen a good trend line in =
NTP servers being fixed, and hope we will see more of that in the next =
few weeks.

I've seen maybe 100-200 per-ASN reports handed out to network operators. =
 If you want yours, please e-mail ntp-scan@puck.nether.net to obtain it. =
 Put your ASN in the subject line and/or body.

- Jared (and others like Patrick that presented on the projects behalf).
home help back first fref pref prev next nref lref last post