On Jan 16, 2014 5:10 PM, "Mark Andrews" <[email protected]> wrote: > > > In message < caaawwbvjkeok-ydweqd4cowj9qaatbc8mkqwnxrsud55+h9...@mail.gmail.com> > , Jimmy Hess writes: > > On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews <[email protected]> wrote: > > > > > We don't need to change transport, we don't need to port knock. We > > > just need to implementent a slightly modified dns cookies which > > > reminds me that I need to review Donald Eastlake's new draft to be. > > > > > > > But a change to DNS doesn't solve the problem for the other thousand or so > > UDP-based protocols. > > What thousand protocols? There really are very few protocols widely > deployed on top of UDP. > > > What would your fix be for the Chargen and SNMP protocols? > > Chargen is turned off on many platforms by default. Turn it off > on more. Chargen loops are detectable. >
Somebody has it on. I can confirm multi gb/s size chargen attacks going on regularly. I agree. More chargen off, more bcp 38, but ...yeh.. chargen is a big problem here and now CB > SNMP doesn't need to be open to the entire world. It's not like > authoritative DNS servers which are offering a service to everyone. > > New UDP based protocols need to think about how to handle spoof > traffic. > > You look at providing extending routing protocols to provide > information about the legitimate source addresses that may be emitted > over a link. SIDR should help here with authentication of the data. > This will enable better automatic filtering to be deployed. > > You continue to deploy BCP38. Every site that deploys BCD is one > less site where owened machines can be used to launch attacks from. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] >
