nanog mailing list archives
Re: large BCP38 compliance testing
From: Nick Hilliard <nick () foobar org>
Date: Thu, 02 Oct 2014 11:28:30 +0100
On 02/10/2014 11:10, Mikael Abrahamsson wrote:
Why isn't this being done? Why are we complaining about 300 gigabit/s DDOS attacks, asking people to fix their open resolvers, NTP servers etc, when the actual culprit is that some networks in the world don't implement BCP38?
ntp monlist / dnssec abuse can provide ~30x amplification. So if you can find ten 1G links anywhere in the world which aren't protected with BGP38 filtering, you can initiate a mostly untraceable 300G DDoS.
This shouldn't stop us from finding, then naming and shaming operators who don't use bcp38, but we also need to maintain realistic expectations about how successful it's going to be.
It would probably be more productive to pressurise transit providers to enforce bcp38 on their customer links.
Nick
Current thread:
- large BCP38 compliance testing Mikael Abrahamsson (Oct 02)
- Re: large BCP38 compliance testing Mikael Abrahamsson (Oct 02)
- Re: large BCP38 compliance testing Nick Hilliard (Oct 02)
- Re: large BCP38 compliance testing Jérôme Nicolle (Oct 02)
- Re: large BCP38 compliance testing Barry Greene (Oct 02)
- Re: large BCP38 compliance testing Nick Hilliard (Oct 02)
- Re: large BCP38 compliance testing Andrei Robachevsky (Oct 02)
- Re: large BCP38 compliance testing Jérôme Nicolle (Oct 02)
- Re: large BCP38 compliance testing Alain Hebert (Oct 02)
- Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
- Re: large BCP38 compliance testing Alain Hebert (Oct 02)
- Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
- Re: large BCP38 compliance testing Jared Mauch (Oct 02)
- Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
- Re: large BCP38 compliance testing Jay Ashworth (Oct 03)