The Network Time Foundation published this blog post on the problem and solution of the NTP reflection attacks which is a classic case of a “tragedy of the commons”. If everyone involved has done what was right for the community, the situation would never have occurred.
If the fix is that easy, why isn’t it already in place?
Good question. There isn’t a really good answer, but here are some of the factors involved:
Ingress filtering helps “you”. Some folks will actually use this. But it won’t help much for the current abuse. Egress filtering will fix it, though.
Egress filtering helps “others”. Not many staffers are paid to make life better for other folks, and egress filtering is not compulsory.
Your ISP could do ingress filtering at their network border with you. After all, your egress is their ingress.
This is the first time this NTP facility has been abused in a major way in over 20 years’ time. The potential for abusing this facility has been known for a very long time and there has always been a way to block it, but changing the default from “open” to “closed” has had tangible costs and has never had tangible benefits before.
Filtering, by design, “limits” the flow of information, and therefore if a situation ever arises where we need to “poke a hole” in these walls it is extra work. If there are no walls, there is no need to poke holes.
In short, everyone took the easy way out and did nothing. Instead of doing it right, we all did it easy and cheap. In the end, we have a viable DDOS attack for very little effort even though it has been a known problem for many years.
Tragedy of the Commons – Wikipedia: The tragedy of the commons is an economics theory by Garrett Hardin, according to which individuals, acting independently and rationally according to each one’s self-interest, behave contrary to the whole group’s long-term best interests by depleting some common resource.