Re: large BCP38 compliance testing

[Alain Hebert <ahebert () pubnix net>]

On 10/02/14 08:37, Roland Dobbins wrote:
> On Oct 2, 2014, at 7:16 PM, Alain Hebert <ahebert () pubnix net> wrote:
>
> >    BCP38 compliance is the exception not the norm.
> I'm not sure that's actually the case, practically-speaking.
>
> NAT is an awful thing for many reasons, and it's negative in terms of its overall impact on security, but there's one 
> actual benefit from it; it is effectively a form of anti-spoofing.
>
> The prevalence of NAT on consumer broadband access networks means that those networks do not generally emit spoofed 
> packets.  The same goes for many SME networks, even though they oughtn't to be running NAT in front of their servers.
    You are right on that point, I keep forgetting about the little man :(

    My mindset was set on DDoS and not C&C/SPAM/etc.
> My guess is that the majority, if not all, of the reflection/amplification attacks we see are actually initiated from 
> servers under the control of attackers and residing on hosting/co-location IDC networks which don't enforce 
> anti-spoofing at the access, distribution, or peering/transit portions of their topologies.  Some of these servers 
> are tied into so-called 'booter' systems, whereas others are linked into more conventional C&C under the direct 
> control of attackers, while still others are utilized to launch attacks 'by hand', as it were.
   
    We had the same experience where you get a 1Mbps steam of DDoS
amplification start on the 15th and end abruptly on the 30th at 23h55m
(CC report cycle/reject is often around 15 days).  Then on the 5th and
end 15 days later... for a few month in a row.
   
> Those networks are unmanaged and are likely to remain so (or are so-called 'bulletproof' networks catering to 
> criminals).  Their peers/upstream transits likewise are not enforcing anti-spoofing on ingress, nor are they 
> monitoring traffic originating from these networks as it ingresses their own networks (and in any event, the traffic 
> volume of the spoofed packets on the attack source - reflector/amplifier leg is relatively small).
>
> So, the problem is that those networks which are likely to implement the various topologically-appropriate at the 
> various edges of their network are likely to have done so.  And by definition, the endpoint networks where the 
> spoofed traffic originates aren't likely to do so, nor are their immediate peers/upstream transits - or they would've 
> done so long ago. 
>
> ----------------------------------------------------------------------
> Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>
>
>                    Equo ne credite, Teucri.
>
>                         -- Laocoön