On 2/14/2014 9:07 PM, Paul Ferguson wrote:
> Indeed -- I'm not in the business of bit-shipping these days, so I
> can't endorse or advocate any particular method of blocking spoofed IP
> packets in your gear.
If you're dead-end, a basic ACL that permits ONLY your prefixes on
egress, and blocks you
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2/14/2014 4:09 PM, Joe Provo wrote:
> On Fri, Feb 14, 2014 at 10:42:55AM -0800, Paul Ferguson wrote:
> [snip]
>> Taken to the logical extreme, the "right thing" to do is to deny
>> any spoofed traffic from abusing these services altogether. NTP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2/14/2014 3:00 PM, Larry Sheldon wrote:
> On 2/14/2014 12:42 PM, Paul Ferguson wrote:
>> Taken to the logical extreme, the "right thing" to do is to deny
>> any spoofed traffic from abusing these services altogether.
>
> Since the 1990s I have a
On Fri, Feb 14, 2014 at 10:42:55AM -0800, Paul Ferguson wrote:
[snip]
> Taken to the logical extreme, the "right thing" to do is to deny any
> spoofed traffic from abusing these services altogether. NTP is not the
> only one; there is also SNMP, DNS, etc.
...and then we're back to "implement BCP3
On 2/14/14, 3:00 PM, Hal Murray wrote:
>
>> I was being a bit extreme, I don't expect UDP to be blocked and there are
>> valid uses for NTP and it needs to pass. Can you imagine the trading
>> servers not having access to NTP?
>
> Sure.
>
> They could setup internal NTP servers listening to GP
> I was being a bit extreme, I don't expect UDP to be blocked and there are
> valid uses for NTP and it needs to pass. Can you imagine the trading
> servers not having access to NTP?
Sure.
They could setup internal NTP servers listening to GPS. Would it be as good
overall as using external s
On 2/14/2014 12:42 PM, Paul Ferguson wrote:
Taken to the logical extreme, the "right thing" to do is to deny any
spoofed traffic from abusing these services altogether.
Since the 1990s I have argued (ineffectively, it turns out) a case that
says that sentence can be edited down to good advanta
On 02/13/2014 06:01 PM, Jared Mauch wrote:
On Feb 13, 2014, at 1:47 PM, John wrote:
UDP won't be blocked. There are some vendors that have their own hidden
protocol inside UDP packets to control and communicate with their devices.
Thinking on it again, maybe blocking UDP isn't all that bad.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2/14/2014 10:22 AM, Wayne E Bouchard wrote:
> On Thu, Feb 13, 2014 at 08:01:27PM -0500, Jared Mauch wrote:
>> I would actually like to ask for those folks to un-block NTP so
>> there is proper data on the number of hosts for those researching
>>
On Thu, Feb 13, 2014 at 08:01:27PM -0500, Jared Mauch wrote:
> I would actually like to ask for those folks to un-block NTP so there is
> proper data on the number of hosts for those researching this. The right
> thing to do is reconfigure them. I've seen a good trend line in NTP servers
> bei
On Friday, February 14, 2014 03:01:27 AM Jared Mauch wrote:
> I would actually like to ask for those folks to un-block
> NTP so there is proper data on the number of hosts for
> those researching this. The right thing to do is
> reconfigure them. I've seen a good trend line in NTP
> servers bein
On Feb 13, 2014, at 1:47 PM, John wrote:
> On 02/13/2014 10:06 AM, Cb B wrote:
>> Good write up, includes name and shame for AT&T Wireless, IIJ, OVH,
>> DTAG and others
>>
>> http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
>>
>> Standard plug for htt
On 02/13/2014 10:06 AM, Cb B wrote:
Good write up, includes name and shame for AT&T Wireless, IIJ, OVH,
DTAG and others
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
Standard plug for http://openntpproject.org/ and
http://openresolverproject.org/ an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2/13/2014 9:06 AM, Cb B wrote:
> Good write up, includes name and shame for AT&T Wireless, IIJ,
> OVH, DTAG and others
>
> http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
>
> Standard plug for http://
On Feb 13, 2014, at 12:06 PM, Cb B wrote:
> Good write up, includes name and shame for AT&T Wireless, IIJ, OVH,
> DTAG and others
>
> http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
>
> Standard plug for http://openntpproject.org/ and
> http://openre
Good write up, includes name and shame for AT&T Wireless, IIJ, OVH,
DTAG and others
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
Standard plug for http://openntpproject.org/ and
http://openresolverproject.org/ and bcp38 , please fix/help.
For those
16 matches
Mail list logo
