On Feb 13, 2014, at 1:47 PM, John <jsch...@flowtools.net> wrote: > On 02/13/2014 10:06 AM, Cb B wrote: >> Good write up, includes name and shame for AT&T Wireless, IIJ, OVH, >> DTAG and others >> >> http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack >> >> Standard plug for http://openntpproject.org/ and >> http://openresolverproject.org/ and bcp38 , please fix/help. >> >> For those of you paying attention to the outage list, this is a pretty >> big deal that has had daily ramification for some very big networks >> https://puck.nether.net/pipermail/outages/2014-February/date.html >> >> In general, i think UDP is doomed to be blocked and rate limited -- >> tragedy of the commons. But, it would be nice if folks would just fix >> the root of the issue so the rest of us don't have go there... > > UDP won't be blocked. There are some vendors that have their own hidden > protocol inside UDP packets to control and communicate with their devices. > > Thinking on it again, maybe blocking UDP isn't all that bad. Would force the > vendors to not 'hide' their protocol. >
Be careful what you wish for. I know some people have just blocked all NTP to keep their servers from participating in attacks. This is common in places where they hand off a VM/host to a customer and no longer have access despite it being in their environment. I would actually like to ask for those folks to un-block NTP so there is proper data on the number of hosts for those researching this. The right thing to do is reconfigure them. I've seen a good trend line in NTP servers being fixed, and hope we will see more of that in the next few weeks. I've seen maybe 100-200 per-ASN reports handed out to network operators. If you want yours, please e-mail ntp-s...@puck.nether.net to obtain it. Put your ASN in the subject line and/or body. - Jared (and others like Patrick that presented on the projects behalf).
