On (2013-03-27 22:27 -1000), David Conrad wrote:
One of the largest DDoS attacks I've witnessed was SNMP-based, walking entire OID sub-trees (with spoofed source addresses) across thousands of CPEs that defaulted to allowing SNMP queries over the WAN interface. "Oops". Topped out around 70 Gbps if I remember correctly. No DNS involved.
Wonderful data point. Services are not the problem. Open recursors are not the problem, there are millions of them, and even if we close all of them, attack vector remains almost identically the same, as due to DNSSEC it's easy to find large RR in authorative servers. I think most everyone is missing the key notion that BCP38 does not need to be deployed my millions. Most people are NOT doing ACL filtering towards their transit customers, Tier1<->Tier2 cannot do it (strict IRR is not practical). Tier2<->Tier3 can do it, and should do it. We have about 6000 tier2 networks that we need to fix to make spooffing attack vectors impractical. It's entirely doable if we can agree that ACL towards your transit customer is BCP and start approaching/educating/helping (github scripts to do it automatically for your JunOS, IOS, TimOS, IOS-XR...) these 6000 networks. -- ++ytti