ddos attack blog
jared at puck.nether.net
Fri Feb 14 01:01:27 UTC 2014
On Feb 13, 2014, at 1:47 PM, John <jschiel at flowtools.net> wrote:
> On 02/13/2014 10:06 AM, Cb B wrote:
>> Good write up, includes name and shame for AT&T Wireless, IIJ, OVH,
>> DTAG and others
>> Standard plug for http://openntpproject.org/ and
>> http://openresolverproject.org/ and bcp38 , please fix/help.
>> For those of you paying attention to the outage list, this is a pretty
>> big deal that has had daily ramification for some very big networks
>> In general, i think UDP is doomed to be blocked and rate limited --
>> tragedy of the commons. But, it would be nice if folks would just fix
>> the root of the issue so the rest of us don't have go there...
> UDP won't be blocked. There are some vendors that have their own hidden protocol inside UDP packets to control and communicate with their devices.
> Thinking on it again, maybe blocking UDP isn't all that bad. Would force the vendors to not 'hide' their protocol.
Be careful what you wish for. I know some people have just blocked all NTP to keep their servers from participating in attacks. This is common in places where they hand off a VM/host to a customer and no longer have access despite it being in their environment.
I would actually like to ask for those folks to un-block NTP so there is proper data on the number of hosts for those researching this. The right thing to do is reconfigure them. I've seen a good trend line in NTP servers being fixed, and hope we will see more of that in the next few weeks.
I've seen maybe 100-200 per-ASN reports handed out to network operators. If you want yours, please e-mail ntp-scan at puck.nether.net to obtain it. Put your ASN in the subject line and/or body.
- Jared (and others like Patrick that presented on the projects behalf).
More information about the NANOG