NTP DRDos Blog post

Harlan_Stenn · February 19, 2014, 8:48pm

Folks,

I just posted http://nwtime.org/ntp-winter-2013-network-drdos-attacks/ .

In general we've never allowed comments to blog posts on that site;
we're currently discussing if we should allow them for this post.

I'd love to hear any feedback about the post.

Thanks...

Niels_Bakker · February 20, 2014, 4:14pm

* stenn@ntp.org (Harlan Stenn) [Thu 20 Feb 2014, 00:38 CET]:

I'd love to hear any feedback about the post.

Don't invent new terms like DrDos.

-- Niels.

Dobbins_Roland · February 20, 2014, 4:17pm

+1

Brian_Rak · February 20, 2014, 4:23pm

That's not a new term.

http://en.wikipedia.org/wiki/DRDOS
DRDoS, a type of network attack named Distributed Reflection Denial of Service.
http://en.wikipedia.org/wiki/Distributed_Reflection_Denial_of_Service#Reflected_.2F_Spoofed_attack

antoine.meillet · February 20, 2014, 4:29pm

Yes, it was also used here https://www.sans.org/reading-room/whitepapers/intrusion/summary-dos-ddos-prevention-monitoring-mitigation-techniques-service-provider-enviro-1212

But still, it's just a DDoS.

-----Message d'origine-----

Dobbins_Roland · February 20, 2014, 4:34pm

It isn't used by folks involved in operational security. It's a marketing term.

Jon_Lewis1 · February 20, 2014, 4:43pm

Or Digital Research Disk Operating System...if you're old enough.
Who knew DRDOS would become popular [again]?

Jared_Mauch · February 20, 2014, 5:17pm

I'll split the difference, folks in operational security dislike the term as they
feel it's inaccurate. They tend to think it's marketing vs operational related.

Reflection attacks are considered a sub-type of DoS/DDoS and do not require a new
term. It's the same problem folks have with absolute terms like "Unlimited Data"
with the asterisk.

Can I direct the knife-fights about that part off-list? (and preferably exclude me,
i get enough email).

- jared

Dobbins_Roland · February 20, 2014, 6:28pm

That's still meaningless. The term of art is 'reflection/amplification attack', as in 'ntp reflection/amplification attack' or 'DNS reflection/amplification attack'.

Jay_Ashworth · February 20, 2014, 6:29pm

What? Digital Research's MS-DOS clone is attacking things?

Cheers,
-- jr ':-)' a

John7 · February 20, 2014, 7:37pm

This is not a new term (certainly >12yo) and one that I see as useful, just as it is useful to differentiate between a DoS and a DDoS. That extra "D" tells you that it's "distributed". Add an "R" and now it's "reflected" -- an important difference.

If it's seen as being recently co-opted and misused by marketing people, then that's a shame. But its practicality trumps that in my eyes. And I am definitely on the operational security side here.

I do generally prefer "X reflection/amplification attack", as Roland suggested, as it is more specific.

-John

Dobbins_Roland · February 20, 2014, 7:43pm

Actually, it's much more recent than that (in this context; as others have mentioned, DR-DOS was the acronym for Digital Research's MS-DOS clone).

But I'm going to stop posting about this, now, as Jared suggested.

;>

John7 · February 20, 2014, 7:51pm

I didn't just pluck that 12y term out of the air.

I know how much Gibson is hated in some circles, but he used it in 2002: http://homes.cs.washington.edu/~arvind/cs425/doc/drdos.pdf. I read that in 2002, did other research about it in 2002, saw reflected attacks in 2002.

Yes, I used DRDOS, too.

-John

Dan_Shoop · February 20, 2014, 7:59pm

I had wondered what the problem was, older than age, with anyone trying to run DRDOS. It should fit in the memory and cpu footprint of a modern toaster.

-d

Dobbins_Roland · February 20, 2014, 8:05pm

I know how much Gibson is hated in some circles,

He isn't/wasn't part of the operational community.

It sure looks like you're right, he coined it then - as a marketing term, for marketing himself, heh. Maybe that's one of the reasons it's so disliked.

;>

I read that in 2002, did other research about it in 2002, saw reflected attacks in 2002.

I saw reflected/amplified attacks in 2002, too, and that's what I called them. So did everyone else I worked with to mitigate them, heh.

And I'm really going to shut up about this, now.

James_W_Laferriere · February 21, 2014, 12:05am

Hello Harlen ,

Folks,
I just posted https://www.nwtime.org/news/ntp-winter-2013-network-drdos-attacks/ .

wget https://www.nwtime.org/news/ntp-winter-2013-network-drdos-attacks/
--2014-02-20 15:03:13-- https://www.nwtime.org/news/ntp-winter-2013-network-drdos-attacks/
Resolving nwtime.org (nwtime.org)... 140.211.15.245
Connecting to nwtime.org (nwtime.org)|140.211.15.245|:80... failed: Connection refused.

I get the same type message from 3 differant sytems that I have access from & three differant browsers . Did the url change or get locked down ?
Tia , JimL

Jared_Mauch · February 21, 2014, 12:31am

I was seeing database connect errors earlier. I suspect the host resources are limited.

Jared Mauch

dmiller · February 21, 2014, 12:39am

    Hello Harlen ,

Folks,
I just posted https://www.nwtime.org/news/ntp-winter-2013-network-drdos-attacks/ .

    wget https://www.nwtime.org/news/ntp-winter-2013-network-drdos-attacks/
--2014-02-20 15:03:13--
https://www.nwtime.org/news/ntp-winter-2013-network-drdos-attacks/
Resolving nwtime.org (nwtime.org)... 140.211.15.245
Connecting to nwtime.org (nwtime.org)|140.211.15.245|:80... failed:
Connection refused.

    I get the same type message from 3 differant sytems that I have
access from & three differant browsers . Did the url change or get
locked down ?
        Tia , JimL

I can't get to any part of the nwtime.org web site.

Google has a cached copy of the article.

Search for "site:nwtime.org ntp drdos attacks"

-DMM