[169386] in North American Network Operators' Group
Re: The somewhat illegal fix for NTP attacks
daemon@ATHENA.MIT.EDU (Jared Mauch)
Sat Feb 22 07:44:50 2014
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CAPkb-7AdMQ=Kpy5_BDYOfQF++B0h693a0Jp5YjZ-DXaGtc9wyQ@mail.gmail.com>
Date: Sat, 22 Feb 2014 07:43:21 -0500
To: Baldur Norddahl <baldur.norddahl@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 21, 2014, at 5:08 PM, Baldur Norddahl <baldur.norddahl@gmail.com> =
wrote:
> Hi
>=20
> The following would probably be illegal so do not actually do this. =
But
> what if... there are just 4 billion IPv4 addresses. Scanning that
> address-space for open NTP is trivially done in a few hours. Abusing =
these
> servers for reflection attack is as trivial, hence the problem. How =
can we
> get the responsible parties to fix their NTP servers?
>=20
> Answer: DDoS them. With their own service.
One of the attacks that was mitigated the fastest was the SQL Slammer =
worm due to the broad impact it had across the internet.
The OpenNTP and OpenResolver projects provide inventories of these =
servers for operators to take action and to take to their customer cone.
> Or it could be a DDoS defense. As a victim of an ongoing NTP =
reflection
> attack, you know exactly the IP-addresses of the vulnerable NTP =
servers
> used to attack you. Make them stop by sending back forged NTP packets, =
so
> they use up their available bandwidth to DDoS each other instead of =
you.
> This could even be automated. If you let them attack their next-hop as
> discovered by traceroute, it might not even be illegal or harmful. =
They
> will only bring down their own link, do no more harm to the internet =
at
> large and they can fix it by stopping the NTP service. If they are =
part of
> an ongoing DDoS attack it is just self defence to shut them down in =
the
> least harmful way possible.
Do you have a letter from the local law enforcement or legal counsel on =
this topic? If so, can you please share it with the class or submit a =
presentation to an upcoming conference on this?
- Jared=
