Keith Mitchell wrote: > But it's not just about NTP and DNS, pretty much any UDP-based service > that can do amplification is in play, e.g SNMP, Chargen and I've even > seen "QOTD" (UDP 19). > > <snip> > > Universal BCP38 source address validation is needed more badly then ever :-( > It really is. Glad to hear it's not just us - reflection attacks are starting to be one of the biggest problems we have - and it's proving incredibly difficult to deal with. It seems that any script kiddie that wants to can launch attacks of overwhelming volume - and boy do they do so. :(
Pretty much every single day we're seeing multiple 25G+ attacks now, we've had a fair few in the 40-80G and a reported 100G+ last week too - usually directed at single machines between both our own network as well as the 'off-net' carriers we use around the world. It's pretty much always NTP or DNS reflection - but we've seen loads of chargen, echo, daytime, SNMP and random fragmented packets too. We can ACL most of it out our side and protect the target, but providing many-tens-of-gigabits worth of capacity just to soak up attack traffic is 'difficult' to sustain financially! That leaves blackholing via transit providers (not peering though) - but doesn't really solve the problem. I don't know what the 'end result' of this is going to be - but i'm sure that even if the NTP / DNS amplifiers get cleaned up enough to fix that, there's no shortage of other potential amplifiers out there anyway. If BCP38 doesn't start to gain wider adoption, this is just going to keep getting worse.
