In message <CAD6AjGTE-raK1AnFha+tz+WQGAuUrB7Pr0vfc3J=QnHFu638vw@mail.gmail.com> , Cb B writes:
On Jan 16, 2014 5:10 PM, "Mark Andrews" <marka@isc.org> wrote:
In message <
CAAAwwbVJKEok-ydwEQd4cowJ9qAAtbC8mKqwNXrsud55+H9ZEw@mail.gmail.com>
, Jimmy Hess writes:
On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews <marka@isc.org> wrote:
We don't need to change transport, we don't need to port knock. We just need to implementent a slightly modified dns cookies which reminds me that I need to review Donald Eastlake's new draft to be.
But a change to DNS doesn't solve the problem for the other thousand or so UDP-based protocols.
What thousand protocols? There really are very few protocols widely deployed on top of UDP.
What would your fix be for the Chargen and SNMP protocols?
Chargen is turned off on many platforms by default. Turn it off on more. Chargen loops are detectable.
Somebody has it on.
I can confirm multi gb/s size chargen attacks going on regularly.
I agree. More chargen off, more bcp 38, but ...yeh.. chargen is a big problem here and now
So go and *report* the traffic streams so that chargen service can be turned off or if the box doesn't support that, the box is replaced / filter. I don't know anyone that *needs* chargen turned on all the time. Most *never* need it to be turned on. India was just declared polio free. Fixing chargen is easier than that. Step 1. make sure you do not have chargen sources. Step 2. report traffic. Step 3. stop accepting all traffic to/from the if step 2 does not help. Mark
CB
SNMP doesn't need to be open to the entire world. It's not like authoritative DNS servers which are offering a service to everyone.
New UDP based protocols need to think about how to handle spoof traffic.
You look at providing extending routing protocols to provide information about the legitimate source addresses that may be emitted over a link. SIDR should help here with authentication of the data. This will enable better automatic filtering to be deployed.
You continue to deploy BCP38. Every site that deploys BCD is one less site where owened machines can be used to launch attacks from.
Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
--047d7bfd030c59198804f02057ae Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
<p dir=3D"ltr"><br> On Jan 16, 2014 5:10 PM, "Mark Andrews" <<a href=3D"mailto:mar= ka@isc.org">marka@isc.org</a>> wrote:<br> ><br> ><br> > In message <<a href=3D"mailto:CAAAwwbVJKEok-ydwEQd4cowJ9qAAtbC8mKqw= NXrsud55%2BH9ZEw@mail.gmail.com">CAAAwwbVJKEok-ydwEQd4cowJ9qAAtbC8mKqwNXrsu= d55+H9ZEw@mail.gmail.com</a>><br> > , Jimmy Hess writes:<br> > > On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews <<a href=3D"mail= to:marka@isc.org">marka@isc.org</a>> wrote:<br> > ><br> > > > We don't need to change transport, we don't need to = port knock. =A0We<br> > > > just need to implementent a slightly modified dns cookies wh= ich<br> > > > reminds me that I need to review Donald Eastlake's new d= raft to be.<br> > > ><br> > ><br> > > But a change to DNS doesn't solve the problem for the other t= housand or so<br> > > UDP-based protocols.<br> ><br> > What thousand protocols? =A0There really are very few protocols widely= <br> > deployed on top of UDP.<br> ><br> > > What would your fix be for the Chargen and SNMP protocols?<br> ><br> > Chargen is turned off on many platforms by default. =A0Turn it off<br> > on more. =A0Chargen loops are detectable.<br> ></p> <p dir=3D"ltr">Somebody has it on. </p> <p dir=3D"ltr">I can confirm multi gb/s size chargen attacks going on regul= arly. </p> <p dir=3D"ltr">I agree. More chargen off, more bcp 38, but ...yeh.. chargen= is a big problem here and now</p> <p dir=3D"ltr">CB</p> <p dir=3D"ltr">> SNMP doesn't need to be open to the entire world. = =A0It's not like<br> > authoritative DNS servers which are offering a service to everyone.<br=
><br> > New UDP based protocols need to think about how to handle spoof<br> > traffic.<br> ><br> > You look at providing extending routing protocols to provide<br> > information about the legitimate source addresses that may be emitted<= br> > over a link. =A0SIDR should help here with authentication of the data.= <br> > This will enable better automatic filtering to be deployed.<br> ><br> > You continue to deploy BCP38. =A0Every site that deploys BCD is one<br=
> less site where owened machines can be used to launch attacks from.<br=
><br> > Mark<br> > --<br> > Mark Andrews, ISC<br> > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br> > PHONE: +61 2 9871 4742 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 INTERNET: <a hr= ef=3D"mailto:marka@isc.org">marka@isc.org</a><br> ><br> </p>
--047d7bfd030c59198804f02057ae-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org