mer A the ability to interfere with Customer B's traffic,
and the difficulty of implementing such constraints). It can be an
option worth exploring, in many circumstances.
--------
Roland Dobbins
e well-understood and -documented, and a bit of research
can help bring one up to speed on them pretty quickly.
--------
Roland Dobbins
niversal source-address validation (SAV). Without the ability to
spoof, there would be no reflection/amplification attacks.
-------
Roland Dobbins
point is that when applying broad policies of this nature, one must
be very conservative, else one can cause larger problems on a macro
scale. Internet ateriosclerosis is a significant issue.
-------
Roland Dobbins
in your span of administrative control.
* btw, what can you experts tell me about tcp-based volumetric
attacks...
TCP reflection/amplification.
-----------
Roland Dobbins
and should use them in a
situationally-appropriate manner. And when we're using techniques like
QoSing down certain ports/protocols, we must err on the side of caution,
lest we cause larger problems than the attacks themselves.
---
Roland Dobbins
ng_Isp_v2.pdf>
-------
Roland Dobbins
neral.
---
Roland Dobbins
/s/xznjloitly2apixr5xge>
-----------
Roland Dobbins
it the attacker.
-------
Roland Dobbins
On 15 Aug 2018, at 6:28, Grant Taylor via NANOG wrote:
> Is there something that I've missed the boat on?
No - it's a belt-and-suspenders sort of thing, along with GTSM.
-------
Roland Dobbins
tworking-Technology-ebook/dp/B0051TM5L2/>
-----------
Roland Dobbins
infrastructure self-protection concepts:
<https://app.box.com/s/osk4po8ietn1zrjjmn8b>
---
Roland Dobbins
access
policies at the IDC edge which disallow unwanted UDP/11211 as well as
TCP/11211 from reaching abusable memcached deployments.
-------
Roland Dobbins
On 27 May 2017, at 0:19, Roland Dobbins wrote:
> <https://app.box.com/s/ko8lk4vlh1835p36na3u>
This is the correct URI for the first preso, apologies:
<https://app.box.com/s/osk4po8ietn1zrjjmn8b>
-------
Roland Dobbins
On 27 May 2017, at 0:54, valdis.kletni...@vt.edu wrote:
> I'll go out on a limb and suggest that except for a very basic home/SOHO
> network, "You may need" should be "You will probably need".
Concur, heh.
-------
Roland Dobbins
You may need one
set of ACLs at the peering/transit edge, and other, more specific ACLs,
at the IDC distribution gateway, customer aggregation gateway, et. al.
---
Roland Dobbins
on Windows boxes, IIRC.
-------
Roland Dobbins
rt of capability, too.
---
Roland Dobbins
On 7 Jan 2017, at 14:22, Joly MacFie wrote:
> Blind backlash from IoT DDoS? Looming billions of rf tagged items​?
None of this has anything to do with this 'DOA' thing, though.
-------
Roland Dobbins
nature, I've been waiting
for the ITU to impose GOSIP or whatever on us for the last ~30 years or
so - but so far, nothing much has happened in that regard.
Is there actually a reason to suspect that this time it will be any
different?
---
Roland Dobbins
ectory services, per se.
Can you provide more context?
-------
Roland Dobbins
ter/ttl-expiry-attack.html>
-----------
Roland Dobbins
On 22 Dec 2016, at 20:27, Jean | ddostest.me via NANOG wrote:
the already known Layer 4 amp DDoS like dns, ntp, ssdp, snmp
These are layer-7 reflection/amplification attacks - i.e.,
application-layer - *not* layer-4.
---
Roland Dobbins
On 20 Dec 2016, at 12:18, Laurent Dumont wrote:
> As a student in the field, this is the kind of stuff I live for! ;)
<https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse#Notable_cases>
-------
Roland Dobbins
On 17 Dec 2016, at 0:13, Job Snijders wrote:
There are providers who inspect the AS_PATH's contents and make
decisions to reject (ignore) a route announcement or
not based on the presence of certain values.
+1
---
Roland Dobbins
On 16 Dec 2016, at 16:40, Roland Dobbins wrote:
Looking at the source IP distribution, does a significant proportion
of the larger query base seem to originate out-of-region?
And are do they appear to be mostly broadband access networks, or
?
---
Roland Dobbins
On 16 Dec 2016, at 10:17, Roland Dobbins wrote:
<http://pages.cs.wisc.edu/~plonka/netgear-sntp/>
Over on nznog, Cameron Bradley posited that this may be related to a
TR-069/-064 Mirai variant, which makes use of a 'SetNTPServers' exploit.
Perhaps one of them is
On 16 Dec 2016, at 10:16, Roland Dobbins wrote:
>
<http://pages.cs.wisc.edu/~plonka/netgear-sntp/>
-------
Roland Dobbins
On 16 Dec 2016, at 10:09, Dan Drown wrote:
This seems more like "someone pushed out bad firmware" rather than
something malicious.
Everything old is new again . . .
-------
Roland Dobbins
esync queries, or lots of level-6/level-7 admin
command attempts?
---
Roland Dobbins
On 5 Dec 2016, at 21:50, Graham Johnston wrote:
What is your preferred one and why?
<http://testmy.net/>
Thorough, reasonable teat methodology, allows one to store history,
decent range of test servers worldwide.
---
Roland Dobbins
On 2 Dec 2016, at 22:31, Christopher Morrow wrote:
> that statement seems ... hard to prove.
Paging Geoff Huston to the white courtesy phone . . .
;>
---
Roland Dobbins
e actors' are somehow 'learning how
to take down the Internet' is equally uninformed. State actors already
know how to do this, they don't need to 'learn' or 'test' anything.
DDoS attacks are the Great Equalizer; when it comes to DDoS,
nation-states are just another player.
---
Roland Dobbins
On 26 Oct 2016, at 0:41, Gary Baribault wrote:
> other than the two local major ISPs (keeping last Friday in mind!)
. . . why would you want to expose them to the public Internet at all?
There are many, many reasons not to do so.
---
Roland Dobbins
On 21 Oct 2016, at 23:01, Mike Hammett wrote:
> Are there sites that can test your BCP38\84 compliance?
<https://www.caida.org/projects/spoofer/>
-------
Roland Dobbins
On 20 Oct 2016, at 23:32, Mark Tinka wrote:
Some requirements call for Ethernet transport as opposed to IP.
Sure - but it's probably worth revisiting the origins of those
requirements, and whether there are better alternatives.
---
Roland Dobbins
moving
forward.
-------
Roland Dobbins
On 28 Sep 2016, at 0:18, Brielle Bruns wrote:
> I call shenanigans on providers not seeing their unruly users.
I was talking about the users, not the ISPs.
---
Roland Dobbins
world, however.
Especially the Internet part.
;>
---
Roland Dobbins
* the unruly children, but *choose* to ignore them. That's
the difference.
Keep in mind, most of the folks on this list are not representative of
the average consumer in terms of the skill-sets which are relevant in
this problem space.
-------
Roland Dobbins
On 27 Sep 2016, at 22:37, Patrick W. Gilmore wrote:
All the more reason to educate people TODAY on why having vulnerable
devices is a Very Bad Idea.
Yes, but how do they determine that a given device is vulnerable?
---
Roland Dobbins
e a single provider, just as
they typically do for electricity and water.
-------
Roland Dobbins
cle of clothing they own, every can of
soda in their refrigerator, ever major (and many minor) components of
their automobiles, every blade in their windowshades, etc.
-------
Roland Dobbins
g similar would work here.
Concur that this is the least-improbable model, absolutely.
But keep in mind that subscriptions/services for in-home wiring were
(and are) also a tiny percentage of the user base.
-------
Roland Dobbins
elf how many people set up and use 2FA for any online service
which supports it, on their own initiative (i.e., not having a bank ship
them a pre provisioned dongle). The number of people capable of doing
this troubleshooting for themselves is roughly equivalent to the number
of people who've successfully set up 2FA on their own initiative.
---
Roland Dobbins
iferation of connected devices - militates against user
troubleshooting, as well.
---
Roland Dobbins
e's
no separation in the public mind of 'my network' from 'the Internet'
that is analogous to the separation between 'the power company' and 'the
electrical wiring in my house/apartment' (and even in that space, the
conceptual separation often isn't present).
---
Roland Dobbins
re sending .gifs or
something, surely this might be possible, yes?
It seems within the realm of possibility this sort of response - or lack
thereof - could result in some gaming network operators becoming a bit
jaded. And perhaps some customers, too.
-------
Roland Dobbins
is a dearth of engagement of clueful folks in the global
operational community. Some gaming-oriented networks are
well-represented; others are not, sadly.
-------
Roland Dobbins
m with NAT; as CGN becomes
more prevalent on wireline broadband networks, it's only going to get
worse.
AFAIK, PSN doesn't support IPv6. That would be another topic of
discussion with the operational folks.
-------
Roland Dobbins
uring they can be enforced.
---
Roland Dobbins
On 13 Jun 2016, at 8:52, Kasper Adel wrote:
> 2) Do some planning and research first.
This.
---
Roland Dobbins
're now experiencing.
Sometimes it isn't possible, of course.
-------
Roland Dobbins
dom, if ever, accomplishes anything
useful in terms of successfully defending against DDoS attacks.
---
Roland Dobbins
their ISPs?
;>
---
Roland Dobbins
ing-Opensourcely-wp.pdf>
Just keep in mind, *nothing* is perfect.
---
Roland Dobbins
on reading various reports and research papers,
but rather upon our actions which generate the data and experiential
observations upon which such reports and research papers are based.
-----------
Roland Dobbins
stood out in my mind); those
espousing it pretty quickly changed their tunes once their networks had
been knocked flat a couple of times.
;>
---
Roland Dobbins
to provide for a higher degree of automation, increased
rapidity of response, and interoperability in both inter- and
intra-network DDoS mitigation scenarios.
---
Roland Dobbins
On 30 Apr 2016, at 19:56, Pierre Lamy wrote:
> to null out the destination rather than the source.
<https://tools.ietf.org/html/rfc5635>
-------
Roland Dobbins
On 13 Mar 2016, at 3:03, George Herbert wrote:
> It's a symptom of trying to save a few cents at the risk of dollars.
Concur 100%.
Not to mention the related security issues.
---
Roland Dobbins
rvers just lying around in random rooms, and that
those rooms are de facto government data centers, whether those who're
responsible for said rooms/servers know it or not . . .
-------
Roland Dobbins
grow wearisome. I
will not reply any further to this thread, so as to avoid further
spamming the list.
---
Roland Dobbins
ation about traffic via FNF or IPFIX EE
mechanisms isn't desirable. But you are simply wrong about the utility
of NetFlow and/or IPFIX with classical flow templates.
I really like to hear feedback about my vision.
See above.
---
Roland Dobbins
pes of DDoS attacks
utilizing NetFlow implementations (with the exceptions of crippled
implementations like the aforementioned EARL6/EARL7 and pre-Sup7 Cisco
4500) are simply untrue.
-----------
Roland Dobbins
incorrect, and reflects an inaccurate understanding of how
NetFlow/IPFIX actually works, in practice. It's often repeated by those
with little or no operational experience with NetFlow/IPFIX.
---
Roland Dobbins
acket, anyways.
---
Roland Dobbins
27;t support 1:1.
-------
Roland Dobbins
On 27 Feb 2016, at 8:06, Keith Medcalf wrote:
Consumer Narrowband Access Networks use these protocols all the time.
Most broadband access customers do not actively use these protocols,
themselves, with the partial exception of SIP.
---
Roland Dobbins
On 27 Feb 2016, at 7:59, John Levine wrote:
I think that most if not all of the consumer over the top VoIP phones
like Vonage use SIP.
That's true. One would hope that they're not globally reachable,
however.
-------
Roland Dobbins
On 27 Feb 2016, at 7:23, John Levine wrote:
The VoIP phones sure use SIP.
True, but how prevalent are 'bare' SIP phones vs. VoIP systems utilized
by remote workers via VPNs?
-------
Roland Dobbins
On 27 Feb 2016, at 4:03, John Levine wrote:
A certain number of us work from home and connect to headquarters with
a VPN. and have SIP phones, you know.
Not typically via/requiring the protocols you mentioned.
---
Roland Dobbins
what's being
discussed in this thread.
It's a different story for transit operators.
-------
Roland Dobbins
nnection.
Caveat emptor.
-----------
Roland Dobbins
ew up.
Also, see this article:
<http://arstechnica.com/security/2016/02/asus-lawsuit-puts-entire-industry-on-notice-over-shoddy-router-security/>
and this .pdf preso:
<https://app.box.com/s/rblnddlhda44giwfa8hy>
-----------
Roland Dobbins
running out-of-date software that is abusable in multiple
ways.
---
Roland Dobbins
s://app.box.com/s/r7an1moswtc7ce58f8gg>
-------
Roland Dobbins
fiers (which is
often the case).
And even that small tenth of a percent who're deliberately running their
own DNS servers can end up inadvertently causing disruption if they're
running those DNS servers as open recursors.
-----------
Roland Dobbins
esponsible.
-------
Roland Dobbins
ckets *destined* for
UDP/53 on broadband access networks, not *sourced from*.
---
Roland Dobbins
ly emanate from
broadband access networks due to abusable CPE. Others, as well, of
course, but those are generally the most prevalent.
-------
Roland Dobbins
, apart from the immediate upstream.
-------
Roland Dobbins
he DNS
changes.
-------
Roland Dobbins
On 29 Jan 2016, at 0:05, Crane, Todd wrote:
> Imagine the issues if EoL'ed and EoS'ed those iPads.
Um, I think they are . . .
-------
Roland Dobbins
x, or . . . ?
---
Roland Dobbins
On 13 Dec 2015, at 0:23, Jim Shankland wrote:
Am I missing something, or is an even distribution of originating IP
addresses virtually impossible *without* using spoofing?
If his remarks were reported correctly, they are incorrect.
---
Roland Dobbins
some preemptive ACLs so that you
aren't forced into completing the DDoS.
---
Roland Dobbins
lt;https://app.box.com/s/776tkb82634ewvzvp26nnout6v4ij39q>
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
-----------
Roland Dobbins
tuationally-specific.
-------
Roland Dobbins
On 7 Dec 2015, at 13:41, Laurent Dumont wrote:
> I appreciate any input on the matter!
1. cisco-nsp is a better list for this type of question.
2. The ASR9K is an edge router, not an access switch.
3. Why not just ask Cisco, for starters?
---
Rol
DDoS attacks, FYI.
---
Roland Dobbins
pe.
Start with the BCPs, then move to the macroanalytical. Only dip into
the microanalytical when required, and even then, do so very
selectively.
-------
Roland Dobbins
On 4 Dec 2015, at 2:38, Dovid Bender wrote:
> The last I spoke with NTT they said the largest they ever saw was > 300GB
That wasn't DD4BC or Armada Collective.
-------
Roland Dobbins
On 3 Dec 2015, at 22:04, Josh Reynolds wrote:
> None of those names you just mentioned have made the international news.
Of course they have.
---
Roland Dobbins
On 3 Dec 2015, at 22:26, Nick Hilliard wrote:
> If you believe that someone who issues a ransom threat will stop if you pay
> them off, you're smoking crack.
+1
These attacks aren't rocket-science to defend against.
OP, ping me 1:1.
-------
Roland Dobbins
ontact me 1:1 and I'll work to hook you up with the right
folks.
---
Roland Dobbins
On 2 Dec 2015, at 0:14, Roland Dobbins wrote:
Until the happy day when we've achieved universal source-address
validation arrives, various combinations of the above.
I forgot to mention RRL on authoritative servers, apologies.
---
Roland Dobbins
ed out'
by programmatically-generated attack traffic).
The real solution to this entire problem set is source-address
validation, as you indicate. Until the happy day when we've achieved
universal source-address validation arrives, various combinations of the
above.
-----------
Roland Dobbins
1 - 100 of 437 matches
Mail list logo
