but why isn't BCP 38 widely deployed?
Because it costs time and money. People have been asking for it to be implemented for decades. It is never going to be deployed on every network. What fraction of the
world does implement BCP 38?
Not enough. Everyone has to use it for it to work. Otherwise the hackers will still find a network that doesn't have it. I'd also be interested in general background info on DDoS. Who is DDoS-ing
whom and/or why? Is this gamers trying to get an advantage on a competitor? Bad guys making a test run to see if the server can be used for a real run?
Most motivations for attacks can't be traced. But this is not just a gaming problem. It is used to extort businesses for money, destroy competitors, shutdown government critics, fame. Is DDoS software widely available on the dark web? You don't need the dark web. It is widely available on Github like most other attack types. https://github.com/search?q=ntp+ddos Broken protocols need to be removed and blacklisted at every edge. Pushing the responsibility to BCP38 is unrealistic. On Mon, Mar 23, 2020 at 7:43 AM Hal Murray < hgm+nanog@ip-64-139-1-69.sjc.megapath.net> wrote:
Steven Sommars said:
The secure time transfer of NTS was designed to avoid amplification attacks.
I work on NTP software (ntpsec). I have a couple of low cost cloud servers in the pool where I can test things and collect data.
I see bursts of 10K to several million packets "from" the same IP Address at 1K to 10K packets per second. Ballpark of 100 events per day, depending on the size cutoff. I saw one that lasted for most of a day at 1K packeets/sec.
All the packets I've seen have been vanilla NTP requests - no attempt at amplification. I'm only checking a very small fraction of the garbage.
I haven't seen any pattern in the target IP Address. Reverse DNS names that look like servers are rare. I see legitimate NTP requests from some of the targets.
Would data be useful? If so, who, what, ... (poke me off list)
I don't see any good solution that a NTP server can implement. If I block them all, the victim can't get time. If I let some fraction through, that just reduces the size of the DDoS. I don't see a fraction that lets enough through so the victim is likely to get a response to a legitimate request without also getting a big chunk of garbage. I'm currently using a fraction of 0. If the victim is using several servers, one server getting knocked out shouldn't be a big deal. (The pool mode of ntpd should drop that system and use DNS to get another.)
If NTS is used, it would be possible to include the clients IP Address in the cookie and only respond to requests with cookies that were issued to the client. That has privacy/tracking complications.
----------
I don't want to start a flame war, but why isn't BCP 38 widely deployed? Can somebody give me a pointer to a talk at NANOG or such? What fraction of the world does implement BCP 38?
I'd also be interested in general background info on DDoS. Who is DDoS-ing whom and/or why? Is this gamers trying to get an advantage on a competitor? Bad guys making a test run to see if the server can be used for a real run? Is DDoS software widely available on the dark web? ...
-- These are my opinions. I hate spam.