Anton Chuvakin

A member of the Gartner Blog Network

Anton Chuvakin
Research Director
1 year with Gartner
12 years IT industry

Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Coverage Areas:

On NTP Reflection DDoS: 1990s Strike Back?

by Anton Chuvakin  |  February 14, 2014  |  2 Comments

Is punch card theft from the mail the only security problem we have solved over the last 50 years? I was really hoping IP spoofing has joined the incredibly short list of security problems we have solved for good. After all, this issue goes back to the good old times of Steve Bellovin and his “Security Problems in the TCP/IP Protocol Suite”, the day and age when some of today’s industry experts were in kindergarten…

Boy, was I sorely mistaken. Sure, I admire the ability of attackers to find all the opportunities for amplification DDoS. DNS – check, NTP – check, SNMP – pending… However, I definitely can not hold the the same admiration for the “defenders” (if they can be called that) who still allow spoofed packets to leave their networks.

This anti-DDoS vendor explains it best: “the simple UDP-based NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address and because at least one of its built in commands will send a long reply to a short request.”

See what I mean? No spoofing – no reflection DDoS! Easy, huh?

People, this is not APT-fighting and … ahem … cyberwar. This is router configuration 101 circa 1999. So, check those routers already (and check your NTP servers while you are at it). Make sure that the anti-spoofing rules are in place, that they were not removed, disabled, gone missing, etc.

Now, in the past some of the many, many, many pitches to get organizations to implement anti-spoofing and egress filtering were powered by the plea to “protect the community.” Frankly, many organizations don’t give rat’s ass about the community. So OK. Forget the community for a moment. Think this: if you don’t implement anti-spoofing, you will end up on SO MANY blacklists and threat intelligence feeds that your organization’s Internet access would be next to useless since browsers, email servers, web sites, etc will BAN YOU!

So do it to protect YOUR OWN CONNECTIVITY!

There you have it! Thanks to my colleague Craig Lawson for motivating me to write this. Craig, get your own blog already :-)

2 Comments »

Category: collective Denial of Service philosophy security     Tags:

2 responses so far ↓