Internet Under Attack: World's Largest DDoS Attack Almost Broke The Internet
from the the-hidden-war dept
Update: Gizmodo is calling bullshit on these claims. They're likely correct that this attack was not a "threat" to the overall internet, but I also believe that Gizmodo is underplaying the potential problems from open resolvers.We've known for a while that there are a number of people out there who really dislike Spamhaus, one of the more well known providers of a blacklist of spam IP addresses. For what it's worth, there are times when it feels like Spamhaus may go overboard in declaring an IP or range of IP addresses as spammers. And, to some extent, because of that, it seems like some who use the Spamhaus list rely on it a bit too strongly. That said, Spamhaus is doing important work in helping to stop the internet from being overrun with spam, and that's a good thing. But sometimes those who it pisses off aren't particularly nice people. Last week, Spamhaus added hosting company Cyberbunker to its spamlist. Someone didn't like that very much, and thus began a very big DDoS attack using open DNS recursors. Spamhaus went to Cloudflare, who was able to mitigate the worst of the attack.
But... that just lead to round two, in which whoever was behind the DDoS went much, much bigger attacking a bunch of the providers who provide Cloudflare with its bandwidth. Basically, it was massive firepower directed at some key points on the internet. And it was a pretty big deal. Cloudflare's blog post stays away from getting too expressive about the whole thing, but just the fact that they note the attack came close to "breaking" the internet should get you to wake up.
Tier 1 networks don't buy bandwidth from anyone, so the majority of the weight of the attack ended up being carried by them. While we don't have direct visibility into the traffic loads they saw, we have been told by one major Tier 1 provider that they saw more than 300Gbps of attack traffic related to this attack. That would make this attack one of the largest ever reported.The attackers say they're protesting Spamhaus acting as the internet's police:
The challenge with attacks at this scale is they risk overwhelming the systems that link together the Internet itself. The largest routers that you can buy have, at most, 100Gbps ports. It is possible to bond more than one of these ports together to create capacity that is greater than 100Gbps however, at some point, there are limits to how much these routers can handle. If that limit is exceeded then the network becomes congested and slows down.
Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.
Questioned about the attacks, Sven Olaf Kamphuis, an Internet activist who said he was a spokesman for the attackers, said in an online message that, "We are aware that this is one of the largest DDoS attacks the world had publicly seen." Mr. Kamphuis said Cyberbunker was retaliating against Spamhaus for "abusing their influence."Of course, all of this has exposed clearly a big vulnerability in the setup of the internet, and suggest that slowing down the internet on a large scale is entirely possible. But it's also made security folks that much more aware of how urgent it is to fix the a key vulnerability that made this possible: the fact that there are so many open DNS resolvers out there, that can be used to launch massive DDoS attacks. Because of that, security folks are rushing around to see if they can convince people to close as many of the approximately 21.7 million open resolvers out there:
"Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet," Mr. Kamphuis said. "They worked themselves into that position by pretending to fight spam."
While lists of open recursors have been passed around on network security lists for the last few years, on Monday the full extent of the problem was, for the first time, made public. The Open Resolver Project made available the full list of the 21.7 million open resolvers online in an effort to shut them down.Basically, over the last week or so, there's been a war going on, concerning parts of the core of the internet, and while it might not have impacted you yet (or, maybe it did), it's likely that the next round will be even bigger. In the meantime, the race is on to shut down open resolvers to try to keep the internet working, and hopefully to cut down on the power of such attacks.
We'd debated doing the same thing ourselves for some time but worried about the collateral damage of what would happen if such a list fell into the hands of the bad guys. The last five days have made clear that the bad guys have the list of open resolvers and they are getting increasingly brazen in the attacks they are willing to launch. We are in full support of the Open Resolver Project and believe it is incumbent on all network providers to work with their customers to close any open resolvers running on their networks.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: ddos, internet, internet infrastructure, under attack
Companies: cyberbunker, spamhaus
Reader Comments
Subscribe: RSS
View by: Time | Thread
http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie?utm_campaign=socialflow_gizmodo_f acebook&utm_source=gizmodo_facebook&utm_medium=socialflow
[ link to this | view in chronology ]
Re:
Regardless of whether or not they're right about this.
[ link to this | view in chronology ]
Re:
Bunker=everyone loses their mind.
N.
[ link to this | view in chronology ]
Re:
also 300gps is a drop in the ocean to T1 systems..
As for the Open DNS resolvers out there, well yes it CAN be a problem but it's not as bad as anyone thinks it is and upstream systems are in place to mitigate any problems.
Another way to remove these 21.7million 'open' resolvers (my bullshit detector just exploded at that figure) is to actually update, and there's a notion, BIND to the latest version. Something that should be done anyway.
also giving it the 'recursion no' option is a good thing no matter what!
The rest of the article about Spamhaus and Cloudfare is FUD made to let them moan and market there services and complain how someone didn't like them. Oh and make people think things like CISPA are needed even more so. [Look at who benefits from CISPA and who controls both orgs]
Yes Spamhaus is ok, but it's not the only Spam black lister and anyone who has looked at the way Spamhaus actually manages and authenticates (rarely) their lists knows that they have a huge false flag problem
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
21 Million seems high, but not impossible. I ran nmap with the dns_recursion script against my vps provider and found quite a few within the same C class that I'm assigned.
Updating BIND wouldn't help, it's in the configuration about open recursion: allow-recursion { network/cidr };
For authoritive DNS servers, use RRL: http://www.redbarn.org/dns/ratelimits
Best option is to stop spoofing with BCP38 so the traffic isn't faked in the first place. This is DNS currently, but it could easily be any udp traffic such as a game server, which of course I see a lot.
[ link to this | view in chronology ]
Re: Re:
300Gbs isn't much for an IX, but significant to a switch as most link are either 100Gbs or bonded 10Gbs from my experience at various DCs in the US.
Updating BIND doesn't stop recursive attacks or spoofing, using valid configs and RRL will.
The article is a lot of FUD and marketing for CloudFlare and Spamhaus, but it does show that action needs to be taken in regards to private companies not implementing basic security. BCP38, RRL, ACLs on services, etc...
[ link to this | view in chronology ]
Re:
CF is not all wrong. The exchange IPs accepting external traffic issue they mention could have ramifications, but the guys running exchanges know their stuff and are rapidly fixing it.
[ link to this | view in chronology ]
Hmmm...
It won't help solve the problem but politicians would use the "cyberwar" to begin a real war.
[ link to this | view in chronology ]
Re: Hmmm...
Politicians are so predictable.
[ link to this | view in chronology ]
OH!
[ link to this | view in chronology ]
I also believe the attackers aren't interested in 'breaking' the internet. But the US could use this to do some major damage and then put in place the cyber-Patriot Act. Regardless of ppl calling it horseshit or whatever it's a matter to keep an eye. If it's fairytales then nice, we are near April 1st but if not..
In any case, even if some bored kids do break the internet this way there's no reason for anything like CISPA. But it will be used as an example of why it's needed...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Do elaborate.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
/MOTHER FUCKING S!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Not sure the OpenResolver list is useful
Apparently BIND reports that recursion is enabled, even if it's not available for the IP address doing the check. So how many of those servers are like mine, allowing recursive lookups for only specific IPs and not doing recursion to the Internet at large? Those servers aren't part of the problem.
The site seems to recognize this but not explicitly, only saying that of the 27 million servers they list, only roughly 25 million post a threat. If they want the owners of servers to fix things, they need to provide more information than they have available. Hopefully this is just a hurried attempt to get the site up and they'll be adding more info. Otherwise I suspect it's going to be useless in the goal of reducing the number of open resolvers.
[ link to this | view in chronology ]
Re: Not sure the OpenResolver list is useful
The reason this kind of attack works is because UDP (simple DNS query) does not handshake, so you can get some machines under your control to send falsified UDP query packets with the falsified source address of your target to even legit DNS servers, those that will always be around and they will respond to your target, not you, obviously, but if the target address does not fall within the scope of the ISP, where you remote machine is sitting and this ISP has proper egress filtering, this would fail, since the packet would get silently dropped, so no issue.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Personally I can't stand Spamhaus and how they try to place themselves above actual laws and due process. And neither can a lot of other people, Cloudfare also have a lot of explaining to do as to why they tried to push the attack onto their upstream provider LINX and why they didn't remove the Spamhuas site (as per industry standard practice) instead of allowing there other 1000+ customers to suffer losses due to one specific attack to a SINGLE customer. And lets not get into that the attack was NOT on the IX infrastructure but instead purely directed at Cloudfare/Spamhuas only, and Cloudfare then used there IX IP's to bear traffic instead which is WRONG and a cause for any customer of Cloudfare to re-assess their contract !
As for Cloudfare's blog post.. Total marketing hype and a cause for concern is there usage of the top graphic of the two faces which in reality is actually the photo used by the English band Massive Attack [ http://www.audiodrums.com/2010/01/18/new-massive-attack-paradise-circus-ft-hope-sandoval-of-mazzy-st ar/ ]. They hype and FUD and bullshit is strong in this whole story
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Another problem is that a lot of MTAs rely on Spamhaus only. That's a bad design decision and helps Spamhaus to maintain their power! There are much more methods to fight SPAM without using RBLs. There are even more effective! Don't rely on a single third party! It's a massive SPOF!
[ link to this | view in chronology ]
Re:
IE. Don't defend DDoS attacks, especially if you are in security...
Now I do hold some of these third parties responsible to some extent, but there is definitely blame on Cyberbunker if they admit to DDoSing. Did it take out the internet? No... Did it take out CloudFlare a bit? Sure, but that's their marketing pitch and they tried to swing their outage in a positive light.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
There outta be a law
[ link to this | view in chronology ]
Re: There outta be a law
[ link to this | view in chronology ]
Re: Re: There outta be a law
That's just the tip of the iceberg.
[ link to this | view in chronology ]
Even if it did "break" the internet, what would really happen? For a while, some sites might not be reachable. The world would not end, people would not starve, the planet would not stop spinning. If it happens, it happens, move along and go watch TV for a while instead.
[ link to this | view in chronology ]
Re:
If you're having unprotected sex, just because your partner (or you) hasn't gotten pregnant doesn't mean there's no cause for concern.
[ link to this | view in chronology ]
Effects of attack on Spamhaus and Cloudfare for us
Yawn, yawn to attack.
A note though, a town in the west of the state had a fire in the local exchange which did knock out communications and the last to get back up was the internet (apparently took weeks to fix). So for my book, actual physical destruction stops access rather than software related problems.
[ link to this | view in chronology ]
Load of crap
Second, 100G is not that match (in such network). There're routers where _every_ _single_ _port_ is 100G.
Yes, you read this correctly: while your home router port is usually 1G, and typically utilized at 30%, in T1 networks, routers designed to be "wire-speed", and can utilize all of 100G ports at almost 100% at once without hanging/stacking/etc.
So no, Internet was not close to be "broken", whatever it means; and yes, Techdirt again publish rubbish about technical subjects. Please stay on patents/copyrights topics next time.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
http://www.pcmag.com/article2/0,2817,2417142,00.asp
[ link to this | view in chronology ]
The resolvers arem
[ link to this | view in chronology ]
The resolvers are't the issue the ISP
[ link to this | view in chronology ]
The resolvers are't the issue the ISPs are
[ link to this | view in chronology ]
Re: The resolvers are't the issue the ISPs are
Any ISP that has that sort of filter in place will make me ask myself what other sort of packet inspection they're doing, and to what extent they're spying on me.
Now think about web hosting. How can you deny people running their own nameservers? Sure, block all the traffic but then back to square one. So what then? Force them to take a test? Scan their servers for problems? Ok sure, but not for free, and people don't want to pay... etc.
White labelled ISPs pride themselves with the lack of filtering and the ability for anyone to resell without branding. This gives their customers ultimate freedom but at a cost of security.
The solution, as bad as it is, is to wait for attacks to be reported (or noticed) then act to make it stop or bring the server offline. You can only prevent so much while trying to keep freedom and quality.
[ link to this | view in chronology ]
Re: Re: The resolvers are't the issue the ISPs are
I'm not a networking expert, but what is the problem with the kind of filtering he's describing? What legitimate reason is there to spoof packets' source address? What reason does an ISP have to accept a packet that is addressed to somewhere it isn't going to be able to send it?
[ link to this | view in chronology ]
Re: Re: Re: The resolvers are't the issue the ISPs are
So then you have to establish deep packet inspection to learn more about the packets, thus more monitoring and very high costs especially if you have lots of traffic.
The problem is that if you assume the end user will take care of it, you'll have a network with lots of security issues. But if you force security over your users, you'll lose your users.
DNS is a very basic system required by every business with an online presence. Sure, you can host using DNS hosters, but then you put your DNS in the hands of someone else.
If distributions concentrated on security instead of user-friendliness, this wouldn't be happening. But when you apt-get install bind/powerdns/etc, it has to work with minimal comprehension and reading of the manual, because you know, otherwise people will stay with Windows.
[ link to this | view in chronology ]
Re: Re: Re: Re: The resolvers are't the issue the ISPs are
If it originates from within your network but says it comes from somewhere else, no? Likewise if it's coming into your network but not going anywhere your network can handle. Am I missing something here (genuine question because maybe it's not as simple as it sounds)?
[ link to this | view in chronology ]
Re: Re: Re: Re: The resolvers are't the issue the ISPs are
You make it sound like such a difficult question.
If it's spoofed, you don't judge it, you don't inspect it, you kill it immediately. If its IP addresses are bad, then it's either corrupt or malicious, so shut it down.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are
Anonymouse's comment below addresses that (sounds reasonable though I'm not that knowledgeable about it). What would DPI tell you about address spoofing that inspecting the headers wouldn't?
[ link to this | view in chronology ]
Re: Re: Re: Re: The resolvers are't the issue the ISPs are
[ link to this | view in chronology ]
Re: The resolvers are't the issue the ISPs are
As to Spamhaus: those of you slamming it are (a) spam-supporting parasites or (b) clueless. Spamhaus performs a function precisely equivalent to Consumer Reports: they express an opinion, one which you are free to heed or ignore. This is no different from hundreds of other DNSBLs, RHSBLs, static lists, etc. ALL of them express opinions, NONE of them enforce them on anyone.
[ link to this | view in chronology ]
Re: Re: The resolvers are't the issue the ISPs are
I'm trying to send Bob an email. Bob is using SpamHouse. I can't send Bob an email from home because my ISP is blacklisted for having "dynamic DNS" (let's not get into THAT).
So I email Alice and ask her to email Bob, which she does. She asks Bob to remove SpamHouse from his blocklists, but Bob also uses his ISP email and cannot do anything.
SpamHouse are one of the worst out there. They almost always refuse to remove blacklists even when the issue is resolved and you have evidence, if you get an answer at all, and they often refuse to provide the reasons as to why you were blocked in the first place.
If only they charged for removal we could officially label them a scam.
[ link to this | view in chronology ]
Re: Re: Re: The resolvers are't the issue the ISPs are
If someone's ISP is refusing email as a consequence of a Spamhaus listing, then it's because that ISP chose to use Spamhaus. Nobody makes them do it.
Second, sending mail direct-to-MX from dynamic IPs is very, very stupid. It's a worst practice. So no whining that you can't do it, you shouldn't even be trying.
Third, Spamhaus is very prompt about removing listings once the reason for them has been resolved. In fact, they're TOO prompt, TOO nice about it, and occasionally they get scammed because the reason resurfaces shortly after they pull the listing.
Fourth, you have to really, REALLY work hard to earn a Spamhaus listing. Either (a) you have to be a prolific spammer or (b) you have to be an utterly incompetent, hopelessly lazy, throughly stupid network/system admin to get onto their list. Spamhaus is VERY lenient and VERY tolerant, often to my annoyance.
Fifth, it's trivially easy to see why something is listed by Spamhaus: they have a web interface that you can query and thus access a wealth of information. So when you say that "they often refuse to provide the reasons", you are -- once again -- lying.
Sixth, Spamhaus listings rarely happen in isolation. If you check numerous other DNSBLs/RHSBLs, you will see that the same IP addresses/network blocks/domains that show up on one, tend to show up on many. Given that they're all independently run by people with very different criteria -- people who often argue with each other -- then it should be obvious that when this happens, it's not because they all woke up and decided arbitrarily to make it happen. It's because there's a real problem.
I'm sure none of this will stop you from continuing to lie about Spamhaus, of course. Which spammer did you say you were>?
[ link to this | view in chronology ]
Re: Re: Re: Re: The resolvers are't the issue the ISPs are
Getting listed on a RBL is rather trivial, but a good RBL will respect valid operators that research the reason for the listing and stop the offending emails. I've never had a problem with Spamhaus, so I don't know how easy it is to contact them. Like you stated though, everyone can choose their own hosting provider and use any RBLs or nothing if that is what they wish.
[ link to this | view in chronology ]
Re: Re: Re: Re: The resolvers are't the issue the ISPs are
This would only affect people using their ISPs email address, right? So just one more reason not to do that.
[ link to this | view in chronology ]
Re: Re: Re: Re: The resolvers are't the issue the ISPs are
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are
[ link to this | view in chronology ]
Re: Re: Re: Re: The resolvers are't the issue the ISPs are
Second, *tons* of ISPs allow direct-to-MX from dynamic IPs. Tons. Did I say tons? Tons.
Third, SpamHouse are known to be the nazis of blacklists and refuse to remove a single listing if other IPs in the same /24 are listed. I've been dealing with them for over 6 years, and it's mostly only problems.
Fourth, you don't have to work hard. You only need to run a hosting company and let the users take care of it for you.
Fifth, the interface is useless because you still have to apply to get delisted and the idiot human behind the scenes always refuses, because "you have other networks listed".
Sixth, Spamhouse block tons of people that no other blocklist do. As I said above, in the web hosting world, they're known as the Nazis. Simple as that. Talk to some people that have inside knowledge for spam management.
I'm not sure if this will confirm you're a spamhaus employee or just someone without knowledge of spam. Which scammer err.. spamhauser did you say you were?
I work for a reputable company that fights with those idiots day after day. What scammers do you work for again? Hitler is that you?! Sorry I couldn't resist.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are
2nd - strange you measuring the ISPs by weight, I guess its because they're sinking due to all the SPAM
3d Maybe SpamHouse are a bit overzealous, but it works... to have a little story, assume everyone on your block uses the loo, like most civilized humans do, but you crap in the hand basin, not to want to talk to anyone on your block may cause peer pressure to make you change your behaviour and use the loo instead, until you do, don't expect me to accept your mail
4th there's the rub, not working and letting users loose on the infrastructure who are not educated enough about correct internet procedures gets you listed...
5th oh yes, refer to 3d above
6th oh yes, again refer to 3d above and there's the second problem, if you're doing *WEB* hosting, why would DNS Blacklisting, which only impacts *MAIL* have anything to do with you?
I doubt he's a SpamHouse employee, neither am I, but I was happily using their services from '98? '99? onwards.
Yup a *reputable* company, like the tons referred to in 2nd above...
There never is a reason to accept mail from a dynamically assigned IP address, if they really want to send out email, simple, they just configure their SMTP server to relay out via their ISPs SMTP server, problem solved and SpamHouse won't have you listed, unless, of course, that ISP transports lots of SPAM out and doesn't do a thing to clean this up.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: The resolvers are't the issue the ISPs are
2nd - Strange you say that. I never measured anything. I pointed out the obvious, obviously.
3d No. The correct analogy would be that you prevent everyone from using the hand basin until that one person stops… this punishing everyone because something 1 person did.
4th Enjoy running your company without clients. I guess you never worked in web hosting - or no much about it for that matter.
5th oh yes, refer to 3d above - yes exactly
6th Web hosting includes email. Again, you should learn the lingo before trying to use it without understanding it.
Yup a *reputable* company, like the tons referred to in 2nd above... said the guy who can't understand basics of web hosting.
"There never is a reason to accept mail from a dynamically assigned IP address, if they really want to send out email, simple, they just configure their SMTP server to relay out via their ISPs SMTP server, problem solved and SpamHouse won't have you listed, unless, of course, that ISP transports lots of SPAM out and doesn't do a thing to clean this up."
Exactly, so leave it up to the nazis to decide what is dynamic and what is not, which was exactly the problem in the first place.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I did not notice a thing
[ link to this | view in chronology ]
From experience, any major traffic peak that *can* (not necessarily does) affect their customers will be nullrouted at the first ingress (or egress) router, thus traffic goes nowhere. Then they'll contact you with the reason for the nullroute and the target.
Also, they assume that at any point there is a single 100gbps router handing the traffic, which couldn't be further from the truth unless you use known low-quality tier1's. Routers are stacked for redundancy and to share cpu power.
It's not the first laugh we have about some non-tech person claiming the possibility to break the internet, remember the root nameserver one?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
wow
From what i have read 300gb of traffic has been directed at spamhous whihc is a site that creates blocklists of potential spammers. They have then been attacked by someone they listed as a spam generating entity.
Is there now a chance that developers will spend some time preventing these type of attacks from happening again? surely it would be simple enough to prevent ddos attacks by having a system where after a certain amount of attempts to dos attack an entity the servers would automatically restrict and future connection attempts , thereby completely nullifying the attack close to where it is being generated from. Simply block every attempt to attack a specific ip range.
Maybe i am simplifying this too much and don't understand the problem but surely the main structure of the internet should be able to identify this type of attack and prevent it from spreading.
[ link to this | view in chronology ]
Re: wow
If you force the user to read up on a feature because being able to use it, then the user will learn about that feature and make the conscious decision of enabling it or not. I believe RedHat and all its derivatives ship with it enabled by default. Possible other distros as well.
Theo de Raadt made a presentation about DNSSEC and how it could be used to amplify these sorts of attacks. The video's on youtube. Basically with misconfigured DNSSEC the attack could have been 10x, maybe even 100x worse.
[ link to this | view in chronology ]
Re: Re: wow
Assume you sit behind an ADSL connection, which assigns you one IP address, the router port on the ISPs end of the circuit, should, once assigning you the IP address, add 2 restrictions on their end:
1. allow traffic into the network from you, coming from your assigned IP address
2. drop/block everything else
To panic about open resolvers ignores ICMP problems and any other services that utilize UDP and that don't require handshaking and are thus prone to being used in spoof attacks.
The same goes for a leased line connection with a block of IP Addresses
1. allow traffic into the network from you, coming from your assigned network range, for example 196.15.195.128/27
2. drop/block everything else
Then for good measure, on the routers to the rest of the world, allow outgoing traffic from the IP addresses that are local to the ISP and drop/block everything else. No impact on the users, no packet inspection, no developers needing to do anything.
To identicon, you are missing the big picture, *think of the children*... DNS is a minor and non-issue, the issue is that ISPs knew about the spoofing issues back in the last century and have had the tools/option to setup the rules on their gateways since then, but it is a bit of work and these lazy so and so's should be kicked in the nuts for not implementing this lot ages ago already. Implementing the best practices rules on the gateways would take care of any and all ICMP and UDP spoof attacks, I am sure others may arise, they can then be dealt with in a way appropriate for those attacks, yelling DNS and open resolver does not solve the actual problem. The network as a whole should be cleanly set up, which includes every ISP from tier 1 on down to your local one man shop with half a class C assigned to him.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I'm still getting over 11,000 kbs download speeds but I wish I had Google with that GFG 1gbps u/d :(
[ link to this | view in chronology ]
Popehat
No clue if this was related or not. It's the first time I had difficulty navigating to Popehat since I started visiting it around the time The Oatmeal train wreck got underway.
Granted, I'm in the US.
[ link to this | view in chronology ]
Re: Popehat
and 2: it seems you need to supply more Pony's to Ken! ;)
[ link to this | view in chronology ]
I hope they can shutdown Spamhaus for good
[ link to this | view in chronology ]
[ link to this | view in chronology ]