Re: "trivial" changes to DNS (was: OpenNTPProject.org)

[Mark Andrews <marka () isc org>]

In message <CAD6AjGTE-raK1AnFha+tz+WQGAuUrB7Pr0vfc3J=QnHFu638vw () mail gmail com>
, Cb B writes:
> On Jan 16, 2014 5:10 PM, "Mark Andrews" <marka () isc org> wrote:
> > In message <
> CAAAwwbVJKEok-ydwEQd4cowJ9qAAtbC8mKqwNXrsud55+H9ZEw () mail gmail com>
> > , Jimmy Hess writes:
> > > On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews <marka () isc org> wrote:
> > >
> > > > We don't need to change transport, we don't need to port knock.  We
> > > > just need to implementent a slightly modified dns cookies which
> > > > reminds me that I need to review Donald Eastlake's new draft to be.
> > >
> > > But a change to DNS doesn't solve the problem for the other thousand or
> so
> > > UDP-based protocols.
> >
> > What thousand protocols?  There really are very few protocols widely
> > deployed on top of UDP.
> >
> > > What would your fix be for the Chargen and SNMP protocols?
> >
> > Chargen is turned off on many platforms by default.  Turn it off
> > on more.  Chargen loops are detectable.
>
> Somebody has it on.
>
> I can confirm multi gb/s size chargen attacks going on regularly.
>
> I agree. More chargen off, more bcp 38, but ...yeh.. chargen is a big
> problem here and now

So go and *report* the traffic streams so that chargen service can
be turned off or if the box doesn't support that, the box is replaced
/ filter.

I don't know anyone that *needs* chargen turned on all the time.
Most *never* need it to be turned on.

India was just declared polio free.  Fixing chargen is easier than
that.

Step 1.  make sure you do not have chargen sources.
Step 2.  report traffic.
Step 3.  stop accepting all traffic to/from the if step 2 does not help.

Mark

> CB
>
> > SNMP doesn't need to be open to the entire world.  It's not like
> > authoritative DNS servers which are offering a service to everyone.
> >
> > New UDP based protocols need to think about how to handle spoof
> > traffic.
> >
> > You look at providing extending routing protocols to provide
> > information about the legitimate source addresses that may be emitted
> > over a link.  SIDR should help here with authentication of the data.
> > This will enable better automatic filtering to be deployed.
> >
> > You continue to deploy BCP38.  Every site that deploys BCD is one
> > less site where owened machines can be used to launch attacks from.
> >
> > Mark
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka () isc org
>
> --047d7bfd030c59198804f02057ae
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> <p dir=3D"ltr"><br>
> On Jan 16, 2014 5:10 PM, &quot;Mark Andrews&quot; &lt;<a href=3D"mailto:mar=
> ka () isc org">marka () isc org</a>&gt; wrote:<br>
> &gt;<br>
> &gt;<br>
> &gt; In message &lt;<a href=3D"mailto:CAAAwwbVJKEok-ydwEQd4cowJ9qAAtbC8mKqw=
> NXrsud55%2BH9ZEw () mail gmail com">CAAAwwbVJKEok-ydwEQd4cowJ9qAAtbC8mKqwNXrsu=
> d55+H9ZEw () mail gmail com</a>&gt;<br>
> &gt; , Jimmy Hess writes:<br>
> &gt; &gt; On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews &lt;<a href=3D"mail=
> to:marka () isc org">marka () isc org</a>&gt; wrote:<br>
> &gt; &gt;<br>
> &gt; &gt; &gt; We don&#39;t need to change transport, we don&#39;t need to =
> port knock. =A0We<br>
> &gt; &gt; &gt; just need to implementent a slightly modified dns cookies wh=
> ich<br>
> &gt; &gt; &gt; reminds me that I need to review Donald Eastlake&#39;s new d=
> raft to be.<br>
> &gt; &gt; &gt;<br>
> &gt; &gt;<br>
> &gt; &gt; But a change to DNS doesn&#39;t solve the problem for the other t=
> housand or so<br>
> &gt; &gt; UDP-based protocols.<br>
> &gt;<br>
> &gt; What thousand protocols? =A0There really are very few protocols widely=
> <br>
> &gt; deployed on top of UDP.<br>
> &gt;<br>
> &gt; &gt; What would your fix be for the Chargen and SNMP protocols?<br>
> &gt;<br>
> &gt; Chargen is turned off on many platforms by default. =A0Turn it off<br>
> &gt; on more. =A0Chargen loops are detectable.<br>
> &gt;</p>
> <p dir=3D"ltr">Somebody has it on. </p>
> <p dir=3D"ltr">I can confirm multi gb/s size chargen attacks going on regul=
> arly. </p>
> <p dir=3D"ltr">I agree. More chargen off, more bcp 38, but ...yeh.. chargen=
>  is a big problem here and now</p>
> <p dir=3D"ltr">CB</p>
> <p dir=3D"ltr">&gt; SNMP doesn&#39;t need to be open to the entire world. =
> =A0It&#39;s not like<br>
> &gt; authoritative DNS servers which are offering a service to everyone.<br=
> >
> &gt;<br>
> &gt; New UDP based protocols need to think about how to handle spoof<br>
> &gt; traffic.<br>
> &gt;<br>
> &gt; You look at providing extending routing protocols to provide<br>
> &gt; information about the legitimate source addresses that may be emitted<=
> br>
> &gt; over a link. =A0SIDR should help here with authentication of the data.=
> <br>
> &gt; This will enable better automatic filtering to be deployed.<br>
> &gt;<br>
> &gt; You continue to deploy BCP38. =A0Every site that deploys BCD is one<br=
> >
> &gt; less site where owened machines can be used to launch attacks from.<br=
> >
> &gt;<br>
> &gt; Mark<br>
> &gt; --<br>
> &gt; Mark Andrews, ISC<br>
> &gt; 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> &gt; PHONE: +61 2 9871 4742 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 INTERNET: <a hr=
> ef=3D"mailto:marka () isc org">marka () isc org</a><br>
> &gt;<br>
> </p>
>
> --047d7bfd030c59198804f02057ae--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org