SNMP DDoS: the vulnerability you might not know you have
LarrySheldon at cox.net
Wed Jul 31 22:50:18 UTC 2013
On 7/31/2013 4:29 PM, Blake Dunlap wrote:
> It works better to fix the design issues than to play whack a mole
> by blocking every imaginable service to your customers that responds
> to the public with data larger than a FIN. Like getting their
> providers to more proactively police their spew, manufactures to stop
> making negligent devices, or implementing more intelligent filter
> communication so the only option doesn't begin with calling your
> provider and asking them over the phone to block X ip for you since
> you're off the internet.
> Maybe even look into liability laws for allowing said attacks to
> originate from your customers and not doing anything about it, or
> being manufacturer of said devices that harm others through their
> lack of due diligence implementing proper security. It's still way
> more effective than trying to fix the *last instance* of the problem,
> instead of it's reasons for enduring as an issue at a global scale.
The first time I became a pariah on NANOG was for postulating precisely
that view--that if the originators of problems would stop, we would not
have to figure out how to clean up after them. But I am past that now
and out of work.
But it does occur to me for the first time that I can recall, that maybe
the tremendous efforts to Get Control Of The Intertubes could be
suckered into doing some good, say be establishing a certification
authority to test and certify the safety of designs (is Scott B?????
still around) and devise a way to not permit traffic from uncertified
devices or configurations.
But after years of research I will tell you that there is no way to stop
an avalanche once it has been released at the source.
Requiescas in pace o email Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio Infallibility, and the ability to
learn from their mistakes.
(Adapted from Stephen Pinker)
More information about the NANOG