[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Can we not just fix it? WAS:Re: Open Resolver Problems

On (2013-03-27 22:27 -1000), David Conrad wrote:

> One of the largest DDoS attacks I've witnessed was SNMP-based, walking entire OID sub-trees (with spoofed source addresses) across thousands of CPEs that defaulted to allowing SNMP queries over the WAN interface. "Oops". Topped out around 70 Gbps if I remember correctly. No DNS involved. 

Wonderful data point. Services are not the problem. Open recursors are not
the problem, there are millions of them, and even if we close all of them,
attack vector remains almost identically the same, as due to DNSSEC it's
easy to find large RR in authorative servers.

I think most everyone is missing the key notion that BCP38 does not need to
be deployed my millions. 

Most people are NOT doing ACL filtering towards their transit customers,
Tier1<->Tier2 cannot do it (strict IRR is not practical). Tier2<->Tier3 can
do it, and should do it.
We have about 6000 tier2 networks that we need to fix to make spooffing
attack vectors impractical. It's entirely doable if we can agree that ACL
towards your transit customer is BCP and start
approaching/educating/helping (github scripts to do it automatically for
your JunOS, IOS, TimOS, IOS-XR...) these 6000 networks.