nanog mailing list archives
Re: large BCP38 compliance testing
From: Brian Rak <brak () gameservers com>
Date: Thu, 02 Oct 2014 14:24:18 -0400
On 10/2/2014 6:10 AM, Mikael Abrahamsson wrote:
Hi,To fix a lot of the DDOS attacks going on, we need to make sure BCP38 compliance goes up. Only way to do this I can think of, is large scale BCP38 testing. One way of doing this, is to have large projects such as OpenWRT, RIPE Atlas project, perhaps even CPE vendors, implement something that would spoof 1 packet per day or something to a known destination, and in this packet the "real" source address of the packet is included.I have been getting pushback from people that this might be "illegal". Could anyone please tell me what's illegal about trying to send a packet with a random source address?If we can get consensus in the operational world that this is actually ok, would that help organisations to implement this kind of testing. I could see vendors implement a test like "help verify network stability and compliance, these tests are anonymous" checkbox during the initial install, or something like this.Why isn't this being done? Why are we complaining about 300 gigabit/s DDOS attacks, asking people to fix their open resolvers, NTP servers etc, when the actual culprit is that some networks in the world don't implement BCP38?
A lot of the discussion on BCP38 seems to be around providers who are unintentionally allowing IP spoofing.
What about providers who knowingly allow IP spoofing, because it's profitable?
There's a provider that basically caters to the DDOS-as-a-service industry by selling servers with unmetered connections, where they allow IP spoofing. (If you've ever looked into this at all, you know exactly who I'm talking about).
Current thread:
- Re: large BCP38 compliance testing, (continued)
- Re: large BCP38 compliance testing Alain Hebert (Oct 02)
- Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
- Re: large BCP38 compliance testing Jared Mauch (Oct 02)
- Re: large BCP38 compliance testing Jay Ashworth (Oct 03)
- Re: large BCP38 compliance testing Alain Hebert (Oct 06)
- Re: large BCP38 compliance testing Jay Ashworth (Oct 12)
- Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
- Re: large BCP38 compliance testing Jimmy Hess (Oct 05)
- Re: large BCP38 compliance testing Octavio Alvarez (Oct 20)
- Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
- Re: large BCP38 compliance testing Rich Kulawiec (Oct 02)
- Re: large BCP38 compliance testing Mark Andrews (Oct 02)
- Re: large BCP38 compliance testing Rich Kulawiec (Oct 03)
- Re: large BCP38 compliance testing Mikael Abrahamsson (Oct 03)
- Re: large BCP38 compliance testing Alain Hebert (Oct 03)
- Re: large BCP38 compliance testing Matt Palmer (Oct 05)