UDP/123 policers & status

• Previous message (by thread): UDP/123 policers & status
• Next message (by thread): UDP/123 policers & status
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/28/2020 3:29 PM, Bottiger wrote:
>     but why isn't BCP 38 widely deployed?  
> 
> 
> Because it costs time and money. People have been asking for it to be
> implemented for decades. It is never going to be deployed on every network.

So you are claiming BCP 38 has to be all or nothing?  That there is *no*
benefit to incremental deployment?

>     What fraction of the
>     world does implement BCP 38?  
> 
> 
>  Not enough. Everyone has to use it for it to work. Otherwise the
> hackers will still find a network that doesn't have it.

I disagree.  Enough people have to use it for it to work.  And as more
folks use it, there is increasing motivation for more folks to use it.
As the number of deployments increases, one can assume (perhaps
correctly) that it will become less expensive to deploy, and that
additional measures will be found to help accomplish the same thing.

>     I'd also be interested in general background info on DDoS.  Who is
>     DDoS-ing
>     whom and/or why?  Is this gamers trying to get an advantage on a
>     competitor? 
>     Bad guys making a test run to see if the server can be used for a
>     real run?  
> 
> 
> Most motivations for attacks can't be traced. But this is not just a
> gaming problem. It is used to extort businesses for money, destroy
> competitors, shutdown government critics, fame. 
> 
>      Is DDoS software widely available on the dark web?
> 
> 
> You don't need the dark web. It is widely available on Github like most
> other attack types.
> 
> https://github.com/search?q=ntp+ddos  
> 
> Broken protocols need to be removed and blacklisted at every edge.
> Pushing the responsibility to BCP38 is unrealistic.

The monlist attack was mitigated many years' ago.  The problem is that
too many folks don't upgrade their software.

> On Mon, Mar 23, 2020 at 7:43 AM Hal Murray
> <hgm+nanog at ip-64-139-1-69.sjc.megapath.net
> <mailto:hgm%2Bnanog at ip-64-139-1-69.sjc.megapath.net>> wrote:
> 
>     Steven Sommars said:
>     > The secure time transfer of NTS was designed to avoid
>     amplification attacks.

Uh, no.

If you understand what's going on from the perspective of both the
client and the server and think about the various cases, I think you'll
see what I mean.

NTS is a task-specific hammer.

-- 
Harlan Stenn <stenn at nwtime.org>
http://networktimefoundation.org - be a member!

• Previous message (by thread): UDP/123 policers & status
• Next message (by thread): UDP/123 policers & status
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]