Re: BCP38.info

[TGLASSEY <tglassey () earthlink net>]

On 1/28/2014 1:07 PM, Nick Olsen wrote:
> While I see what you're saying. It's still not "Spoofed".
>
> The device in question receives the request. And then generates a response
> with the src address of the egress interface of the device dst to the IP
> and port that requested it... In this case. The GRE tunnel. Unless I'm
> missing something here about replying to a request only on the interface
> which it ingressed the device. And the fact that it's UDP. not TCP. So it's
> fire-and-forget.

No in this case the system is being hit with a MITM type attack
> Thus, Nothing was ever spoofed. It just simply was returned from a
> different interface of the same device. From our point of view. We saw the
> packet of DNS-SRC>OurCustomer. And the other ISP, Which transported the
> reply. only saw Customer-SRC>DNS-DST.
>
> Obviously, This only works because it's UDP. And TCP would be broken.
>
> Nick Olsen
>   Network Operations
> (855) FLSPEED  x106
>
> ----------------------------------------
> From: "Jared Mauch" <jared () puck nether net>
> Sent: Tuesday, January 28, 2014 3:04 PM
> To: nick () flhsi com
> Cc: "David Miller" <dmiller () tiggee com>, Valdis.Kletnieks () vt edu, "NANOG"
> <nanog () nanog org>
> Subject: Re: BCP38.info
>
> On Jan 28, 2014, at 2:57 PM, Nick Olsen <nick () flhsi com> wrote:
>
> > Agreed.
> >
> > Our's listed for AS36295 are two customers, Which I know for a fact have
> their default route set out of a GRE tunnel interface. So while we hand
> them the request to their interface IP we've assigned them. The response is
> actually sent, And transported via the customers GRE Tunnel, And HQ's
> Dedicated internet access where their tunneling to. Making it appear that
> the reply has been spoofed. When in reality. it was just silent transported
> to another area before being sent to the src.
>
> Sure, but this means that network is allowing the spoofing :)
>
> What I did last night was automated comparing the source ASN to the dest
> ASN mapped to and reported both the IP + ASN on a single line for those
> that were interested.
>
> I'm seeing a lot of other email related to BCP-38 right now on another
> list, but I wanted to share some data (again) in public regarding the state
> of network spoofing out there.
>
> I'd rather share some data and how others can observe this to determine how
> we can approach a fix.  Someone spoofing your IP address out some other
> carrier is something you may be interested to know about, even if you have
> a non-spoofing network.
>
> - jared

--
-------------

Personal Email - Disclaimers Apply