On Mon, Jan 13, 2014 at 11:18 PM, Saku Ytti <saku@ytti.fi> wrote:
On (2014-01-13 21:33 +0000), Bjoern A. Zeeb wrote:
BCP38! I am always surprised when people need crypto if they fail the simple things.
Saying that BCP38 is solution to the reflection attacks is not unlike 5 year old wishing nothing but world peace for christmas, endearing, but it's not going to change anything. BCP38 is completely unrealistic, many access networks are on autopilot, many don't have HW support for BCP38, one port configured has low-benefit, only that machine can stop attacking (but whole world).
near term, reducing attack surface is practical to reduce impact (not a solution, just damage control)
BCP38 (even if not fully deployed) is the only viable form of reducing the attack surface. Other ideas can never reach enough adoption to have any impact (they need to be ~100% deployed before any improvement is seen). As an example, let's imagine you successfully close 99% of the open DNS recursive resolvers, dropping the number of available reflectors from 28M down to 280k. Has that achieved anything? No, the attacks will be just as large. Or even if you do get to 100%, you haven't done anything about the authoritative servers. Or the other protocols, like NTP, Chargen, etc. near term, transit providers who do BGP prefix-list, could use same
prefix-list for ACL, segmenting spoofing domains. It's very high pay-off, couple ports configured, whole downstream branch isolated into its own spoofing domain, able to just attack targets inside same domain.
I see this as a form of BCP38, but imposed on networks by their transit providers, rather than done voluntarily. It would be great if it could work, but I have doubts due to asymmetric routing announcements intended for traffic shaping. mid term, transport area in IETF. DNS, NTP, SNMP, chargen et.al. could
trivially change to QUIC/MinimaLT or compared, getting same 0 RTT penalty as UDP without reflection potential.
I'd expect that to take 20 years or more. Even if new standards are defined, the old servers will only be removed when they physically fail. My crazy proposal: get international agreement that sending spoofed packets is illegal, then trace their sources. Tracing the sources just requires transit providers (or other large networks) to collect and analyze netflow, but that may end up being as infeasible as changing the global legal system. ;) Damian