nanog mailing list archives
Re: Thank you, Comcast.
From: Damian Menscher via NANOG <nanog () nanog org>
Date: Fri, 26 Feb 2016 11:47:43 -0800
"We all know..." followed by a false statement is amusing. A significant portion of spoofing originates from North America. In a recent attack I'm reviewing, the top sources of spoofing were the southwestern US, the northwestern US, and east Asia (and almost none from Europe). If ISPs understood how to collect and review netflow we might get somewhere... why is this so hard, and how do we fix it? Damian On Fri, Feb 26, 2016 at 10:48 AM, Dovid Bender <dovid () telecurve com> wrote:
We all know what countries this traffic is coming from. While you can threaten the local ISP's the ones over seas where the traffic is coming from won't care. Regards, Dovid -----Original Message----- From: Damian Menscher via NANOG <nanog () nanog org> Sender: "NANOG" <nanog-bounces () nanog org>Date: Fri, 26 Feb 2016 08:02:52 To: Jared Mauch<jared () puck nether net>; Jason Livingood< Jason_Livingood () cable comcast com>; Mody, Nirmal< Nirmal_Mody () cable comcast com> Reply-To: Damian Menscher <damian () google com> Cc: NANOG list<nanog () nanog org> Subject: Re: Thank you, Comcast. On Fri, Feb 26, 2016 at 6:28 AM, Jared Mauch <jared () puck nether net> wrote:As a community we need to determine if this background radiation andtheseresponses are proper. I think it's a good response since vendors can't do uRPF at line rate and the major purchasers of BCM switches don't ask foritand aren't doing it, so it's not optimized or does not exist. /sighI don't agree with the approach of going after individual reflectors (open*project) or blocking specific ports (Comcast's action here) as both are reactive, unlikely to be particularly effective (there are still millions of reflectors and plenty of open ports available), and don't solve the root problem (spoofed packets making it onto the public internet). What I'd much rather see Comcast do is use their netflow to trace the source of the spoofed packets (one of their peers or transit providers, no doubt) and strongly encourage (using their legal or PR team as needed) them to trace back and stop the spoofing. This benefits everyone in a much more direct and scalable way. Until some of the larger providers start doing that, amplification attacks and other spoofed-source attacks (DNS and synfloods) will continue to thrive. (I've contacted several ISPs about the spoofed traffic they send to us. The next major hurdle is that so many don't have netflow or other useful monitoring of their networks....) Damian
Current thread:
- Re: Thank you, Comcast., (continued)
- Re: Thank you, Comcast. Anthony Junk (Feb 26)
- Re: Thank you, Comcast. Roland Dobbins (Feb 26)
- Re: Thank you, Comcast. Roland Dobbins (Feb 26)
- Re: Thank you, Comcast. Mikael Abrahamsson (Feb 26)
- Re: Thank you, Comcast. Maxwell Cole (Feb 26)
- Re: Thank you, Comcast. Jared Mauch (Feb 26)
- Re: Thank you, Comcast. Damian Menscher via NANOG (Feb 26)
- Re: Thank you, Comcast. Roland Dobbins (Feb 26)
- Re: Thank you, Comcast. Dovid Bender (Feb 26)
- Re: Thank you, Comcast. Jared Mauch (Feb 26)
- Re: Thank you, Comcast. Damian Menscher via NANOG (Feb 26)
- Re: Thank you, Comcast. Dovid Bender (Feb 26)
- Re[2]: Thank you, Comcast. Adam (Feb 26)
- RE: Thank you, Comcast. Keith Medcalf (Feb 26)
- Re: Thank you, Comcast. Livingood, Jason (Feb 26)
- RE: Thank you, Comcast. Keith Medcalf (Feb 26)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- RE: Thank you, Comcast. Naslund, Steve (Feb 26)
- RE: Thank you, Comcast. Keith Medcalf (Feb 26)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- RE: Thank you, Comcast. Keith Medcalf (Feb 26)