"trivial" changes to DNS (was: OpenNTPProject.org)
Cb B
cb.list6 at gmail.com
Fri Jan 17 01:20:01 UTC 2014
On Jan 16, 2014 5:10 PM, "Mark Andrews" <marka at isc.org> wrote:
>
>
> In message <
CAAAwwbVJKEok-ydwEQd4cowJ9qAAtbC8mKqwNXrsud55+H9ZEw at mail.gmail.com>
> , Jimmy Hess writes:
> > On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews <marka at isc.org> wrote:
> >
> > > We don't need to change transport, we don't need to port knock. We
> > > just need to implementent a slightly modified dns cookies which
> > > reminds me that I need to review Donald Eastlake's new draft to be.
> > >
> >
> > But a change to DNS doesn't solve the problem for the other thousand or
so
> > UDP-based protocols.
>
> What thousand protocols? There really are very few protocols widely
> deployed on top of UDP.
>
> > What would your fix be for the Chargen and SNMP protocols?
>
> Chargen is turned off on many platforms by default. Turn it off
> on more. Chargen loops are detectable.
>
Somebody has it on.
I can confirm multi gb/s size chargen attacks going on regularly.
I agree. More chargen off, more bcp 38, but ...yeh.. chargen is a big
problem here and now
CB
> SNMP doesn't need to be open to the entire world. It's not like
> authoritative DNS servers which are offering a service to everyone.
>
> New UDP based protocols need to think about how to handle spoof
> traffic.
>
> You look at providing extending routing protocols to provide
> information about the legitimate source addresses that may be emitted
> over a link. SIDR should help here with authentication of the data.
> This will enable better automatic filtering to be deployed.
>
> You continue to deploy BCP38. Every site that deploys BCD is one
> less site where owened machines can be used to launch attacks from.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
More information about the NANOG
mailing list