On Jan 16, 2014 5:10 PM, "Mark Andrews" <marka@isc.org> wrote:
In message <
CAAAwwbVJKEok-ydwEQd4cowJ9qAAtbC8mKqwNXrsud55+H9ZEw@mail.gmail.com>
, Jimmy Hess writes:
On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews <marka@isc.org> wrote:
We don't need to change transport, we don't need to port knock. We just need to implementent a slightly modified dns cookies which reminds me that I need to review Donald Eastlake's new draft to be.
But a change to DNS doesn't solve the problem for the other thousand or so UDP-based protocols.
What thousand protocols? There really are very few protocols widely deployed on top of UDP.
What would your fix be for the Chargen and SNMP protocols?
Chargen is turned off on many platforms by default. Turn it off on more. Chargen loops are detectable.
Somebody has it on. I can confirm multi gb/s size chargen attacks going on regularly. I agree. More chargen off, more bcp 38, but ...yeh.. chargen is a big problem here and now CB
SNMP doesn't need to be open to the entire world. It's not like authoritative DNS servers which are offering a service to everyone.
New UDP based protocols need to think about how to handle spoof traffic.
You look at providing extending routing protocols to provide information about the legitimate source addresses that may be emitted over a link. SIDR should help here with authentication of the data. This will enable better automatic filtering to be deployed.
You continue to deploy BCP38. Every site that deploys BCD is one less site where owened machines can be used to launch attacks from.
Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org