nanog mailing list archives

Re: large BCP38 compliance testing

From: Roland Dobbins <rdobbins () arbor net>
Date: Thu, 2 Oct 2014 19:37:55 +0700


On Oct 2, 2014, at 7:16 PM, Alain Hebert <ahebert () pubnix net> wrote:

   BCP38 compliance is the exception not the norm.

I'm not sure that's actually the case, practically-speaking.

NAT is an awful thing for many reasons, and it's negative in terms of its overall impact on security, but there's one
actual benefit from it; it is effectively a form of anti-spoofing.

The prevalence of NAT on consumer broadband access networks means that those networks do not generally emit spoofed
packets. The same goes for many SME networks, even though they oughtn't to be running NAT in front of their servers.

My guess is that the majority, if not all, of the reflection/amplification attacks we see are actually initiated from
servers under the control of attackers and residing on hosting/co-location IDC networks which don't enforce
anti-spoofing at the access, distribution, or peering/transit portions of their topologies. Some of these servers are
tied into so-called 'booter' systems, whereas others are linked into more conventional C&C under the direct control of
attackers, while still others are utilized to launch attacks 'by hand', as it were.

Those networks are unmanaged and are likely to remain so (or are so-called 'bulletproof' networks catering to
criminals). Their peers/upstream transits likewise are not enforcing anti-spoofing on ingress, nor are they monitoring
traffic originating from these networks as it ingresses their own networks (and in any event, the traffic volume of the
spoofed packets on the attack source - reflector/amplifier leg is relatively small).

So, the problem is that those networks which are likely to implement the various topologically-appropriate at the
various edges of their network are likely to have done so. And by definition, the endpoint networks where the spoofed
traffic originates aren't likely to do so, nor are their immediate peers/upstream transits - or they would've done so
long ago.

----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

Equo ne credite, Teucri.

-- Laocoön

Current thread:

large BCP38 compliance testing Mikael Abrahamsson (Oct 02)
- Re: large BCP38 compliance testing Mikael Abrahamsson (Oct 02)
- Re: large BCP38 compliance testing Nick Hilliard (Oct 02)
  - Re: large BCP38 compliance testing Jérôme Nicolle (Oct 02)
    - Re: large BCP38 compliance testing Barry Greene (Oct 02)
    - Re: large BCP38 compliance testing Nick Hilliard (Oct 02)
  - Re: large BCP38 compliance testing Andrei Robachevsky (Oct 02)
- Re: large BCP38 compliance testing Alain Hebert (Oct 02)
  - Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
    - Re: large BCP38 compliance testing Alain Hebert (Oct 02)
    - Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
    - Re: large BCP38 compliance testing Jared Mauch (Oct 02)
  - Re: large BCP38 compliance testing Jay Ashworth (Oct 03)
    - Re: large BCP38 compliance testing Alain Hebert (Oct 06)
    - Re: large BCP38 compliance testing Jay Ashworth (Oct 12)
- Re: large BCP38 compliance testing Valdis . Kletnieks (Oct 02)
  - Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
  - Re: large BCP38 compliance testing Jimmy Hess (Oct 05)
    - Re: large BCP38 compliance testing Octavio Alvarez (Oct 20)

(Thread continues...)