<div dir="ltr"><div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span style="color:rgb(0,0,0)">but why isn't BCP 38 widely deployed?</span> <br></blockquote><div><br></div><div>Because it costs time and money. People have been asking for it to be implemented for decades. It is never going to be deployed on every network.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span style="color:rgb(0,0,0)">What fraction of the</span><br style="color:rgb(0,0,0)"><span style="color:rgb(0,0,0)">world does implement BCP 38?</span> <br></blockquote><div><br></div><div> Not enough. Everyone has to use it for it to work. Otherwise the hackers will still find a network that doesn't have it.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span style="color:rgb(0,0,0)">I'd also be interested in general background info on DDoS. Who is DDoS-ing</span><br style="color:rgb(0,0,0)"><span style="color:rgb(0,0,0)">whom and/or why? Is this gamers trying to get an advantage on a competitor? </span><br style="color:rgb(0,0,0)"><span style="color:rgb(0,0,0)">Bad guys making a test run to see if the server can be used for a real run? </span> </blockquote><div><br></div><div>Most motivations for attacks can't be traced. But this is not just a gaming problem. It is used to extort businesses for money,
destroy competitors, shutdown government critics, fame. <br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <span style="color:rgb(0,0,0)">Is DDoS software widely available on the dark web?</span></blockquote><div><br></div><div>You don't need the dark web. It is widely available on Github like most other attack types.</div><div><br></div><div><a href="https://github.com/search?q=ntp+ddos">https://github.com/search?q=ntp+ddos</a> <br></div><div><br></div><div>Broken protocols need to be removed and blacklisted at every edge. Pushing the responsibility to BCP38 is unrealistic.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 23, 2020 at 7:43 AM Hal Murray <<a href="mailto:hgm%2Bnanog@ip-64-139-1-69.sjc.megapath.net">hgm+nanog@ip-64-139-1-69.sjc.megapath.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Steven Sommars said:<br>
> The secure time transfer of NTS was designed to avoid amplification attacks.<br>
<br>
I work on NTP software (ntpsec). I have a couple of low cost cloud servers in <br>
the pool where I can test things and collect data.<br>
<br>
I see bursts of 10K to several million packets "from" the same IP Address at <br>
1K to 10K packets per second. Ballpark of 100 events per day, depending on <br>
the size cutoff. I saw one that lasted for most of a day at 1K packeets/sec.<br>
<br>
All the packets I've seen have been vanilla NTP requests - no attempt at <br>
amplification. I'm only checking a very small fraction of the garbage.<br>
<br>
I haven't seen any pattern in the target IP Address. Reverse DNS names that <br>
look like servers are rare. I see legitimate NTP requests from some of the <br>
targets.<br>
<br>
Would data be useful? If so, who, what, ... (poke me off list)<br>
<br>
I don't see any good solution that a NTP server can implement. If I block <br>
them all, the victim can't get time. If I let some fraction through, that <br>
just reduces the size of the DDoS. I don't see a fraction that lets enough <br>
through so the victim is likely to get a response to a legitimate request <br>
without also getting a big chunk of garbage. I'm currently using a fraction <br>
of 0. If the victim is using several servers, one server getting knocked out <br>
shouldn't be a big deal. (The pool mode of ntpd should drop that system and <br>
use DNS to get another.)<br>
<br>
If NTS is used, it would be possible to include the clients IP Address in the <br>
cookie and only respond to requests with cookies that were issued to the <br>
client. That has privacy/tracking complications.<br>
<br>
----------<br>
<br>
I don't want to start a flame war, but why isn't BCP 38 widely deployed? Can <br>
somebody give me a pointer to a talk at NANOG or such? What fraction of the <br>
world does implement BCP 38?<br>
<br>
I'd also be interested in general background info on DDoS. Who is DDoS-ing <br>
whom and/or why? Is this gamers trying to get an advantage on a competitor? <br>
Bad guys making a test run to see if the server can be used for a real run? <br>
Is DDoS software widely available on the dark web? ...<br>
<br>
<br>
<br>
<br>
<br>
-- <br>
These are my opinions. I hate spam.<br>
<br>
<br>
<br>
</blockquote></div></div>