[177348] in North American Network Operators' Group
Re: Google's Safe Browsing Alerts for Network Administrators
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Jan 13 06:32:35 2015
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <003301d02e96$f015b170$d0411450$@iname.com>
Date: Tue, 13 Jan 2015 06:32:24 -0500
To: Frank Bulk <frnkblk@iname.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Hat: open.*project person..
With the complaints we get often the people aren't properly secured, they ar=
e just seeing the noise in their logs or they just started logging.=20
We often get more complaints after the first six months as someone says "oh h=
ey, we updated our IPS and now see the NTP traffic that we didn't see in 200=
0-2015, lets complain about it". It's good they have visibility now but most=
people don't get the true issue or impact, and don't even appreciate it whe=
n they are on the receiving end of a 100-250Gb/s attack from these services.=
=20
Take a moment to read the Christian Rossow paper called "amplification Hell"=
.
While amplifiers are only a part of the equation, the trend of fixes is impo=
rtant to track so people understand the state of the fixes.=20
Jared Mauch
> On Jan 12, 2015, at 1:38 PM, Frank Bulk <frnkblk@iname.com> wrote:
>=20
> In regards to ShadowServer, I don=E2=80=99t think they=E2=80=99re randomly=
scanning networks, and neither are folks like OpenResolver =E2=80=93 I thin=
k it=E2=80=99s pretty systematic, albeit from perhaps only a certain point o=
f view on the Internet. If their scans are being dropped and logged, that=E2=
=80=99s great =E2=80=93 that means someone has measures in place to mitigate=
attacks that leverage those UDP protocols. But for those who use their ou=
tput to better secure their own and clients=E2=80=99 endpoint devices, it=E2=
=80=99s much appreciated. If it=E2=80=99s really just a drop in the ocean, w=
hat does it matter to you?
