The somewhat illegal fix for NTP attacks

Alain Hebert ahebert at
Mon Feb 24 12:56:01 UTC 2014


    Since when SNMP, NTP or DNS are vulnerable?

    They both follow to the appropriate RFC's, contrary to all those AS
+ /24 that keep allowing spoofing source IP address.

    The victims of attacks could get the Tiers to follow back the source
of the attack instead, but the corporations involved have more money
than the small guy you'll bash for having the balls of running a
resolver for his roaming customers.

    This false debate will never end...

Alain Hebert                                ahebert at   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911    Fax: 514-990-9443

On 02/22/14 16:09, Jimmy Hess wrote:
> On Sat, Feb 22, 2014 at 6:41 AM, Rich Kulawiec <rsk at> wrote:
> Perhaps you would rather publish a blacklist of   "/24s containing NTP
> servers open to MONLIST" over UDP port 123   similar to the  bogon feeds.
> And encourage all networks to blackhole the list.
> That way potential NTP reflection abuse traffic  gets  stuffed as close to
> the source as possible.
>> It's never appropriate to respond to abuse with abuse.  Not only is
>> it questionable/unprofessional behavior, but -- as we've seen -- there
>> is a high risk that it'll exacerbate the problem, often by targeting
>> innocent third parties.
>> I understand the frustration but this is not the way.
>> ---rsk
> --
> -JH

More information about the NANOG mailing list