[Nottingham] NTP Amplification DDoS Attack... Continues...

[Andy Smith]

Hi Martin,

On Thu, Feb 20, 2014 at 03:42:18PM +0000, Martin wrote:
> Must all new protocols be devised so that there is no opportunity for a
> response size that is greater than the request data packet size? That
> would be one fix but unfortunately wasteful for bandwidth :-(

It won't be possible to design all UDP protocols so that answers to
requests can never be bigger than the request, as sometimes the
answer you need is the answer you need and you can't make it
smaller. e.g. You can't make some answers to DNS queries smaller
than the query.

Certainly, all UDP protocols should be designed with the risk of
spoofed source address in mind, however, and only allow large
responses where absolutely necessary.

Likewise the applications using the protocol should default to a
secure configuration where access to the potentially large responses
is disabled by default and must be enabled on a case by case basis.
For example, recursive DNS servers need to default to not offering
recursion or even any queries at all, until configured to allow it.

Perhaps the most important thing is for all ISPs to implement BCP38:

    http://www.bcp38.info/

This would prevent any host spoofing a source address.

Unfortunately as this involves work that does not directly and
immediately benefit, some networks do not do it, and these are the
ones that are th source of the attacks.

BCP38 is an absolute must because even a spoofed attack with no
amplification or even a less than 1x amplification is still useful
to an attacker and the true sources are obscured.

Some have called for UDP protocols to be abandoned in favour of TCP.
In some cases that is valid, but UDP protocols are much
lighter-weight so that would be a shame. There is disagreement
amongst DNS root server operators as to whether they could afford to
serve the load if all DNS queries were TCP instead of mostly UDP.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting