SNMP DDoS: the vulnerability you might not know you have

Larry Sheldon LarrySheldon at
Wed Jul 31 22:50:18 UTC 2013

On 7/31/2013 4:29 PM, Blake Dunlap wrote:

> It works better to fix the design issues than to play whack a mole
> by blocking every imaginable service to your customers that responds
> to the public with data larger than a FIN. Like getting their
> providers to more proactively police their spew, manufactures to stop
> making negligent devices, or implementing more intelligent filter
> communication so the only option doesn't begin with calling your
> provider and asking them over the phone to block X ip for you since
> you're off the internet.
> Maybe even look into liability laws for allowing said attacks to
> originate from your customers and not doing anything about it, or
> being manufacturer of said devices that harm others through their
> lack of due diligence implementing proper security. It's still way
> more effective than trying to fix the *last instance* of the problem,
> instead of it's reasons for enduring as an issue at a global scale.

The first time I became a pariah on NANOG was for postulating precisely 
that view--that if the originators of problems would stop, we would not 
have to figure out how to clean up after them.  But I am past that now 
and out of work.

But it does occur to me for the first time that I can recall, that maybe 
the tremendous efforts to Get Control Of The Intertubes could be 
suckered into doing some good, say be establishing a certification 
authority to test and certify the safety of designs (is Scott B????? 
still around) and devise a way to not permit traffic from uncertified 
devices or configurations.

But after years of research I will tell you that there is no way to stop 
an avalanche once it has been released at the source.
Requiescas in pace o email           Two identifying characteristics
                                         of System Administrators:
Ex turpi causa non oritur actio      Infallibility, and the ability to
                                         learn from their mistakes.
                                           (Adapted from Stephen Pinker)

More information about the NANOG mailing list