[169438] in North American Network Operators' Group
Re: Filter NTP traffic by packet size?
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Feb 26 17:42:06 2014
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <20125.1393454025@turing-police.cc.vt.edu>
Date: Wed, 26 Feb 2014 17:40:06 -0500
To: Valdis.Kletnieks@vt.edu
Cc: Keegan Holley <no.spam@comcast.net>, "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 26, 2014, at 5:33 PM, Valdis.Kletnieks@vt.edu wrote:
> On Wed, 26 Feb 2014 11:44:55 -0600, Brandon Galbraith said:
>=20
>> Blocking chargen at the edge doesn't seem to be outside of the realm =
of
>> possibilities.
>=20
> What systems are (a) still have chargen enabled and (b) common enough =
to make
> it a viable DDoS vector? Just wondering if I need to go around and =
find
> users of mine that need to be smacked around with a large trout....
First, if you didn't see this excellent paper, check it out:
=
http://www.internetsociety.org/doc/amplification-hell-revisiting-network-p=
rotocols-ddos-abuse
a) Yes - printers and other devices have it.
b) yes.
I only ran the scan once, but had ~130k devices respond.
http://chargenscan.org/chargenip2asn.txt
- Jared
