On Mon, 6 Oct 2003 Valdis.Kletnieks@vt.edu wrote:
My favorite:
"ntp-1.vt.edu is portscanning me very slowly with source port 123...."
The really sad ones are the ones who 3 days earlier dropped me a note to tell me they'll using our NTP server.....
Due to the propensity of people to configure NTP in various annoying ways, and then failing to respond to requests to fix their systems, the NTP developers added a new command packet to the protocol. To help reduce the level of spurious network traffic due to obsolete configuration files, a special control message called the kiss-o'-death packet has been implemented. If enabled and a packet is denied service or exceeds the client limits, a compliant server will send this message to the client. A compliant client will cease further transmission and send a message to the system log. See the Authentication Options page for further information. Should other protocols include the same feature? If someone sends you a Dynamic DNS update, could the protocol include a kiss-o'-death packet to tell clients to go away? If someone keeps probing your HTTP server, should HTTP include a kiss-o'-death packet to tell clients to go away? If someone connects to your SMTP server, should SMTP include a kiss-o'-death packet to tell clients to go away. Or is this such a widely needed feature, should we try to include it in a base protocol such as IP/ICMP? In a large number of these cases, its not malicious, its misconfigured. A host could respond to a connection with an ICMP Go Away packet. Even if the end-host doesn't comply, an edge device or firewall using ICMP snooping could detect the Go Away packet and change its configuration. By pushing the control out to the edges, we avoid overloading the core with one-to-one configuration changes. Using a four-way handshake, its possible to protect against most types of spoofing and denial of service even without encryption or keys distribution. If you think the root servers are attacking you, Ok. Send a Go Away packet, and you won't get any more packets from the root server. Why would you do this? I don't know, but that's your choice. It would get the ISP out of the business of deciding what should be considered network abuse, and what isn't. After the user stops shooting himself in the foot (or runs out of toes), maybe he'll fix the broken auto-firewall software which thinks everyone is attacking him. At NANOG in Chicago, if anyone would like to discuss it further let me know.