Permitting spoofed traffic [Was: Re: ddos attack blog]

Paul Ferguson fergdawgster at mykolab.com
Fri Feb 14 18:42:55 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2/14/2014 10:22 AM, Wayne E Bouchard wrote:

> On Thu, Feb 13, 2014 at 08:01:27PM -0500, Jared Mauch wrote:
>> I would actually like to ask for those folks to un-block NTP so
>> there is proper data on the number of hosts for those researching
>> this.  The right thing to do is reconfigure them.  I've seen a
>> good trend line in NTP servers being fixed, and hope we will see
>> more of that in the next few weeks.
> 
> 
> A slight exception to that statement, if I may...
> 
> The right thing to do is for people to not permit services to
> operate on hosts they do not intend to operate on and not to be
> visible to those they do not intend to use them. In other words, to
> properly manage their networks. If that means blocking all access
> to potentially faulty implementations, then that's the right thing
> to do. In short, companies should do what is right for their
> companies and nevermind anyone else.
> 
> Never forget that researches are just part of the "public" and
> should never consider that their usage of the internet is any more
> or less valid to the average third party than the next guy.
> 

Taken to the logical extreme, the "right thing" to do is to deny any
spoofed traffic from abusing these services altogether. NTP is not the
only one; there is also SNMP, DNS, etc.

- - ferg


- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlL+Y68ACgkQKJasdVTchbJ/dgEAqgERvP6HMl2v5fbhZDwI9QKT
YEe/c3mN5gZlxsIKFo0A/3BH9KMV6ln7XMrlnk4c/GuwZ9X4LAgqO6l2p8u3aA49
=yWZU
-----END PGP SIGNATURE-----



More information about the NANOG mailing list