nanog mailing list archives
Re: "trivial" changes to DNS (was: OpenNTPProject.org)
From: Mark Andrews <marka () isc org>
Date: Fri, 17 Jan 2014 12:44:07 +1100
In message <CAD6AjGTE-raK1AnFha+tz+WQGAuUrB7Pr0vfc3J=QnHFu638vw () mail gmail com> , Cb B writes:
On Jan 16, 2014 5:10 PM, "Mark Andrews" <marka () isc org> wrote:In message <CAAAwwbVJKEok-ydwEQd4cowJ9qAAtbC8mKqwNXrsud55+H9ZEw () mail gmail com>, Jimmy Hess writes:On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews <marka () isc org> wrote:We don't need to change transport, we don't need to port knock. We just need to implementent a slightly modified dns cookies which reminds me that I need to review Donald Eastlake's new draft to be.But a change to DNS doesn't solve the problem for the other thousand orsoUDP-based protocols.What thousand protocols? There really are very few protocols widely deployed on top of UDP.What would your fix be for the Chargen and SNMP protocols?Chargen is turned off on many platforms by default. Turn it off on more. Chargen loops are detectable.Somebody has it on. I can confirm multi gb/s size chargen attacks going on regularly. I agree. More chargen off, more bcp 38, but ...yeh.. chargen is a big problem here and now
So go and *report* the traffic streams so that chargen service can be turned off or if the box doesn't support that, the box is replaced / filter. I don't know anyone that *needs* chargen turned on all the time. Most *never* need it to be turned on. India was just declared polio free. Fixing chargen is easier than that. Step 1. make sure you do not have chargen sources. Step 2. report traffic. Step 3. stop accepting all traffic to/from the if step 2 does not help. Mark
CBSNMP doesn't need to be open to the entire world. It's not like authoritative DNS servers which are offering a service to everyone. New UDP based protocols need to think about how to handle spoof traffic. You look at providing extending routing protocols to provide information about the legitimate source addresses that may be emitted over a link. SIDR should help here with authentication of the data. This will enable better automatic filtering to be deployed. You continue to deploy BCP38. Every site that deploys BCD is one less site where owened machines can be used to launch attacks from. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org--047d7bfd030c59198804f02057ae Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <p dir=3D"ltr"><br> On Jan 16, 2014 5:10 PM, "Mark Andrews" <<a href=3D"mailto:mar= ka () isc org">marka () isc org</a>> wrote:<br> ><br> ><br> > In message <<a href=3D"mailto:CAAAwwbVJKEok-ydwEQd4cowJ9qAAtbC8mKqw= NXrsud55%2BH9ZEw () mail gmail com">CAAAwwbVJKEok-ydwEQd4cowJ9qAAtbC8mKqwNXrsu= d55+H9ZEw () mail gmail com</a>><br> > , Jimmy Hess writes:<br> > > On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews <<a href=3D"mail= to:marka () isc org">marka () isc org</a>> wrote:<br> > ><br> > > > We don't need to change transport, we don't need to = port knock. =A0We<br> > > > just need to implementent a slightly modified dns cookies wh= ich<br> > > > reminds me that I need to review Donald Eastlake's new d= raft to be.<br> > > ><br> > ><br> > > But a change to DNS doesn't solve the problem for the other t= housand or so<br> > > UDP-based protocols.<br> ><br> > What thousand protocols? =A0There really are very few protocols widely= <br> > deployed on top of UDP.<br> ><br> > > What would your fix be for the Chargen and SNMP protocols?<br> ><br> > Chargen is turned off on many platforms by default. =A0Turn it off<br> > on more. =A0Chargen loops are detectable.<br> ></p> <p dir=3D"ltr">Somebody has it on. </p> <p dir=3D"ltr">I can confirm multi gb/s size chargen attacks going on regul= arly. </p> <p dir=3D"ltr">I agree. More chargen off, more bcp 38, but ...yeh.. chargen= is a big problem here and now</p> <p dir=3D"ltr">CB</p> <p dir=3D"ltr">> SNMP doesn't need to be open to the entire world. = =A0It's not like<br> > authoritative DNS servers which are offering a service to everyone.<br=><br> > New UDP based protocols need to think about how to handle spoof<br> > traffic.<br> ><br> > You look at providing extending routing protocols to provide<br> > information about the legitimate source addresses that may be emitted<= br> > over a link. =A0SIDR should help here with authentication of the data.= <br> > This will enable better automatic filtering to be deployed.<br> ><br> > You continue to deploy BCP38. =A0Every site that deploys BCD is one<br=> less site where owened machines can be used to launch attacks from.<br=><br> > Mark<br> > --<br> > Mark Andrews, ISC<br> > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br> > PHONE: +61 2 9871 4742 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 INTERNET: <a hr= ef=3D"mailto:marka () isc org">marka () isc org</a><br> ><br> </p> --047d7bfd030c59198804f02057ae--
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: "trivial" changes to DNS (was: OpenNTPProject.org), (continued)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Cb B (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Bjoern A. Zeeb (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Saku Ytti (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Cb B (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Jimmy Hess (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Valdis . Kletnieks (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Mark Andrews (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Jimmy Hess (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Mark Andrews (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Cb B (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Mark Andrews (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Jared Mauch (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Andrew Sullivan (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Tony Finch (Jan 17)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Jared Mauch (Jan 22)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Rubens Kuhl (Jan 16)
- Re: OpenNTPProject.org Doug Barton (Jan 16)
- BCP38.info (was: Re: OpenNTPProject.org) Jay Ashworth (Jan 16)