Damian Menscher damian at
Tue Jan 14 16:35:49 UTC 2014

On Mon, Jan 13, 2014 at 11:18 PM, Saku Ytti <saku at> wrote:

> On (2014-01-13 21:33 +0000), Bjoern A. Zeeb wrote:
> > BCP38!  I am always surprised when people need crypto if they fail the
> simple things.
> Saying that BCP38 is solution to the reflection attacks is not unlike 5
> year
> old wishing nothing but world peace for christmas, endearing, but it's not
> going to change anything.
> BCP38 is completely unrealistic, many access networks are on autopilot,
> many
> don't have HW support for BCP38, one port configured has low-benefit, only
> that machine can stop attacking (but whole world).
> near term, reducing attack surface is practical to reduce impact (not a
> solution, just damage control)

BCP38 (even if not fully deployed) is the only viable form of reducing the
attack surface.  Other ideas can never reach enough adoption to have any
impact (they need to be ~100% deployed before any improvement is seen).

As an example, let's imagine you successfully close 99% of the open DNS
recursive resolvers, dropping the number of available reflectors from 28M
down to 280k.  Has that achieved anything?  No, the attacks will be just as
large.  Or even if you do get to 100%, you haven't done anything about the
authoritative servers.  Or the other protocols, like NTP, Chargen, etc.

near term, transit providers who do BGP prefix-list, could use same
> prefix-list for ACL, segmenting spoofing domains. It's very high pay-off,
> couple ports configured, whole downstream branch isolated into its own
> spoofing domain, able to just attack targets inside same domain.

I see this as a form of BCP38, but imposed on networks by their transit
providers, rather than done voluntarily.  It would be great if it could
work, but I have doubts due to asymmetric routing announcements intended
for traffic shaping.

mid term, transport area in IETF. DNS, NTP, SNMP, chargen could
> trivially change to QUIC/MinimaLT or compared, getting same 0 RTT penalty
> as
> UDP without reflection potential.

I'd expect that to take 20 years or more.  Even if new standards are
defined, the old servers will only be removed when they physically fail.

My crazy proposal: get international agreement that sending spoofed packets
is illegal, then trace their sources.  Tracing the sources just requires
transit providers (or other large networks) to collect and analyze netflow,
but that may end up being as infeasible as changing the global legal
system. ;)


More information about the NANOG mailing list