[time-nuts] NTP as vector for DDOS attacks?

Tapio Sokura tapio.sokura at iki.fi
Sun Jan 12 04:44:30 UTC 2014


On 10.1.2014 23:10, Jim Lux wrote:
> but how long before someone thinks of putting the amplifier after a
> botnet, rather than driving it directly.

It has probably been done for a while already, like has been done before
with protocols such as dns and chargen. I'm perpetually amazed how so
many IP networks and ISPs in the world still let packets with faked
source addresses through, thus enabling reflection/amplification attacks
and in general making tracking (d)dos sources that much harder.

If you run a network or an ISP, read and implement BCP38 if you haven't
already, please! It will make the Internet a better place, even if it's
just a network at a time. Trying to "secure" UDP amplification attacks a
higher level protocol at a time is like putting band-aid on a bad water
hose that leaks, with new leaks springing up elsewhere as the pressure
in the hose rises from the newly applied (still leaking) band-aids.

Sorry for wandering a bit off-topic here, just couldn't resist the
temptation. Maybe I should go rig my trusty Oncore VPs back online..

  Tapio, oh2kku



More information about the Time-nuts_lists.febo.com mailing list