nanog mailing list archives
Re: large BCP38 compliance testing
From: Alain Hebert <ahebert () pubnix net>
Date: Thu, 02 Oct 2014 08:54:07 -0400
On 10/02/14 08:37, Roland Dobbins wrote:
On Oct 2, 2014, at 7:16 PM, Alain Hebert <ahebert () pubnix net> wrote:BCP38 compliance is the exception not the norm.I'm not sure that's actually the case, practically-speaking. NAT is an awful thing for many reasons, and it's negative in terms of its overall impact on security, but there's one actual benefit from it; it is effectively a form of anti-spoofing. The prevalence of NAT on consumer broadband access networks means that those networks do not generally emit spoofed packets. The same goes for many SME networks, even though they oughtn't to be running NAT in front of their servers.
You are right on that point, I keep forgetting about the little man :( My mindset was set on DDoS and not C&C/SPAM/etc.
My guess is that the majority, if not all, of the reflection/amplification attacks we see are actually initiated from servers under the control of attackers and residing on hosting/co-location IDC networks which don't enforce anti-spoofing at the access, distribution, or peering/transit portions of their topologies. Some of these servers are tied into so-called 'booter' systems, whereas others are linked into more conventional C&C under the direct control of attackers, while still others are utilized to launch attacks 'by hand', as it were.
We had the same experience where you get a 1Mbps steam of DDoS amplification start on the 15th and end abruptly on the 30th at 23h55m (CC report cycle/reject is often around 15 days). Then on the 5th and end 15 days later... for a few month in a row.
Those networks are unmanaged and are likely to remain so (or are so-called 'bulletproof' networks catering to criminals). Their peers/upstream transits likewise are not enforcing anti-spoofing on ingress, nor are they monitoring traffic originating from these networks as it ingresses their own networks (and in any event, the traffic volume of the spoofed packets on the attack source - reflector/amplifier leg is relatively small). So, the problem is that those networks which are likely to implement the various topologically-appropriate at the various edges of their network are likely to have done so. And by definition, the endpoint networks where the spoofed traffic originates aren't likely to do so, nor are their immediate peers/upstream transits - or they would've done so long ago. ---------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Equo ne credite, Teucri. -- Laocoön
Current thread:
- large BCP38 compliance testing Mikael Abrahamsson (Oct 02)
- Re: large BCP38 compliance testing Mikael Abrahamsson (Oct 02)
- Re: large BCP38 compliance testing Nick Hilliard (Oct 02)
- Re: large BCP38 compliance testing Jérôme Nicolle (Oct 02)
- Re: large BCP38 compliance testing Barry Greene (Oct 02)
- Re: large BCP38 compliance testing Nick Hilliard (Oct 02)
- Re: large BCP38 compliance testing Andrei Robachevsky (Oct 02)
- Re: large BCP38 compliance testing Jérôme Nicolle (Oct 02)
- Re: large BCP38 compliance testing Alain Hebert (Oct 02)
- Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
- Re: large BCP38 compliance testing Alain Hebert (Oct 02)
- Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
- Re: large BCP38 compliance testing Jared Mauch (Oct 02)
- Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
- Re: large BCP38 compliance testing Jay Ashworth (Oct 03)
- Re: large BCP38 compliance testing Alain Hebert (Oct 06)
- Re: large BCP38 compliance testing Jay Ashworth (Oct 12)
- Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
- Re: large BCP38 compliance testing Jimmy Hess (Oct 05)
- Re: large BCP38 compliance testing Octavio Alvarez (Oct 20)