nanog mailing list archives
Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
From: Blake Dunlap <ikiris () gmail com>
Date: Thu, 8 Aug 2013 12:46:10 -0500
I noticed that two of my ASNs are on that list for example with low numbers. I can't fathom how as at least one of them has uRPF implemented on any actual interfaces and no downstreams/peers. -Blake On Thu, Aug 8, 2013 at 12:40 PM, Matthew Petach <mpetach () netflight com>wrote:
On Thu, Aug 8, 2013 at 10:29 AM, Jared Mauch <jared () puck nether net> wrote:On Aug 1, 2013, at 2:31 AM, Saku Ytti <saku () ytti fi> wrote:On (2013-07-31 17:07 -0700), bottiger wrote:But realistically those 2 problems are not going to be solved any time in the next decade. I have tested 7 large hosting networks only one of them had BCP38.I wonder if it's truly that unrealistic. If we target access networks,itseems impractical target. We have about 40k origin only ASNs and about 7k ASNs which offertransit,who could arguably trivially ACL those 40k peers. If we truly tried, as a community to make deploying these ACLs easy and actively reach out those 7k ASNs and offer help, would it beunrealistictohave ACL deployed to sufficiently large portion of networks to make spoofing impractical/expensive?The following is a sorted list from worst to best of networks that allow spoofing: (cutoff here is 25k) (full list - http://openresolverproject.org/full-spoofer-asn-list-201307.txt )Count ASN# ------------ 1323950 3462 1300938 4134 1270046 8151 1213972 9737... For the technically clueless among us... what does "count" refer to in this output? How many times you were able to spoof an address through them? How many different addresses you could spoof through them? How many spoofed packets made it through before being blocked? It's kinda hard to know what the list represents without a bit of explanation around it. ^_^; Thanks! :) Matt
Current thread:
- Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have), (continued)
- Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Matthew Petach (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Florian Weimer (Aug 11)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jimmy Hess (Aug 11)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 11)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Florian Weimer (Aug 11)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Christopher Morrow (Aug 11)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Florian Weimer (Aug 11)
- Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Heather Schiller (Aug 22)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Blake Dunlap (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Valdis . Kletnieks (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Blake Dunlap (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Blake Dunlap (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)