Re: UDP/123 policers & status

[Bottiger <bottiger10 () gmail com>]

> but why isn't BCP 38 widely deployed?

Because it costs time and money. People have been asking for it to be
implemented for decades. It is never going to be deployed on every network.

What fraction of the
> world does implement BCP 38?

 Not enough. Everyone has to use it for it to work. Otherwise the hackers
will still find a network that doesn't have it.

I'd also be interested in general background info on DDoS.  Who is DDoS-ing
> whom and/or why?  Is this gamers trying to get an advantage on a
> competitor?
> Bad guys making a test run to see if the server can be used for a real
> run?


Most motivations for attacks can't be traced. But this is not just a gaming
problem. It is used to extort businesses for money, destroy competitors,
shutdown government critics, fame.

 Is DDoS software widely available on the dark web?


You don't need the dark web. It is widely available on Github like most
other attack types.

https://github.com/search?q=ntp+ddos

Broken protocols need to be removed and blacklisted at every edge. Pushing
the responsibility to BCP38 is unrealistic.


On Mon, Mar 23, 2020 at 7:43 AM Hal Murray <
hgm+nanog () ip-64-139-1-69 sjc megapath net> wrote:

> Steven Sommars said:
> > The secure time transfer of NTS was designed to avoid amplification
> attacks.
>
> I work on NTP software (ntpsec).  I have a couple of low cost cloud
> servers in
> the pool where I can test things and collect data.
>
> I see bursts of 10K to several million packets "from" the same IP Address
> at
> 1K to 10K packets per second.  Ballpark of 100 events per day, depending
> on
> the size cutoff.  I saw one that lasted for most of a day at 1K
> packeets/sec.
>
> All the packets I've seen have been vanilla NTP requests - no attempt at
> amplification.  I'm only checking a very small fraction of the garbage.
>
> I haven't seen any pattern in the target IP Address.  Reverse DNS names
> that
> look like servers are rare.  I see legitimate NTP requests from some of
> the
> targets.
>
> Would data be useful?  If so, who, what, ... (poke me off list)
>
> I don't see any good solution that a NTP server can implement.  If I block
> them all, the victim can't get time.  If I let some fraction through, that
> just reduces the size of the DDoS.  I don't see a fraction that lets
> enough
> through so the victim is likely to get a response to a legitimate request
> without also getting a big chunk of garbage.  I'm currently using a
> fraction
> of 0.  If the victim is using several servers, one server getting knocked
> out
> shouldn't be a big deal.  (The pool mode of ntpd should drop that system
> and
> use DNS to get another.)
>
> If NTS is used, it would be possible to include the clients IP Address in
> the
> cookie and only respond to requests with cookies that were issued to the
> client.  That has privacy/tracking complications.
>
> ----------
>
> I don't want to start a flame war, but why isn't BCP 38 widely deployed?
> Can
> somebody give me a pointer to a talk at NANOG or such?  What fraction of
> the
> world does implement BCP 38?
>
> I'd also be interested in general background info on DDoS.  Who is
> DDoS-ing
> whom and/or why?  Is this gamers trying to get an advantage on a
> competitor?
> Bad guys making a test run to see if the server can be used for a real
> run?
> Is DDoS software widely available on the dark web?  ...
>
>
>
>
>
> --
> These are my opinions.  I hate spam.