Permitting spoofed traffic [Was: Re: ddos attack blog]

[Paul Ferguson <fergdawgster () mykolab com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2/14/2014 10:22 AM, Wayne E Bouchard wrote:

> On Thu, Feb 13, 2014 at 08:01:27PM -0500, Jared Mauch wrote:
> > I would actually like to ask for those folks to un-block NTP so
> > there is proper data on the number of hosts for those researching
> > this.  The right thing to do is reconfigure them.  I've seen a
> > good trend line in NTP servers being fixed, and hope we will see
> > more of that in the next few weeks.
>
>
> A slight exception to that statement, if I may...
>
> The right thing to do is for people to not permit services to
> operate on hosts they do not intend to operate on and not to be
> visible to those they do not intend to use them. In other words, to
> properly manage their networks. If that means blocking all access
> to potentially faulty implementations, then that's the right thing
> to do. In short, companies should do what is right for their
> companies and nevermind anyone else.
>
> Never forget that researches are just part of the "public" and
> should never consider that their usage of the internet is any more
> or less valid to the average third party than the next guy.

Taken to the logical extreme, the "right thing" to do is to deny any
spoofed traffic from abusing these services altogether. NTP is not the
only one; there is also SNMP, DNS, etc.

- - ferg


- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlL+Y68ACgkQKJasdVTchbJ/dgEAqgERvP6HMl2v5fbhZDwI9QKT
YEe/c3mN5gZlxsIKFo0A/3BH9KMV6ln7XMrlnk4c/GuwZ9X4LAgqO6l2p8u3aA49
=yWZU
-----END PGP SIGNATURE-----