nanog mailing list archives
Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Thu, 26 Oct 2006 09:33:24 -0400
On Thu, 26 Oct 2006 02:20:48 -0400 (EDT), Sean Donelan <sean () donelan com> wrote:
The only data I have is from the MIT anti-spoofing test project which has been pretty consistent for a long time. About 75%-80% of the nets, addressses, ASNs tests couldn't spoof, and about 20%-25% could. The geo-location maps don't show much difference between parts of the world. RIPE countries don't seem to be better or worse than ARIN countries or APNIC countries or so on. ISPs on every continent seem to be about the same. http://spoofer.csail.mit.edu/summary.php If someone finds the silver bullet that will change the remaining 25% or so of networks, I think ISPs on every continent would be interested.
That would be nice -- but I wonder how much operational impact that would have. As you note, the 20-25% figure (of addresses) has been pretty constant for quite a while. Assuming that subverted machines are uniformly distributed (a big assumption) and assuming that their methodology is valid (another big assumption), that means we've already knocked out the 75-80% of the sources of spoofed IP address attacks. Has anyone seen a commensurate reduction in DDoS attacks? I sure haven't heard of that. Are people saying that the problem would be several times worse if anti-spoofing weren't in place? As best I can tell, the limiting factor on attack rates isn't the lack of sources but the lack of a profit motive for launching the attacks. Put another way, anti-spoofing does three things: it makes reflector attacks harder, it makes it easier to use ACLs to block sources, and it helps people track down the bot and notify the admin. Are people actually successfully doing either of the latter two? I'd be surprised if there were much of either. That leaves reflector attacks. Are those that large a portion of the attacks people are seeing? I agree that anti-spoofing is a good idea, and I've said so for a long time. I was one of the people who insisted that AT&T do it, way back when. But I'm not convinced it's a major factor here. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Current thread:
- Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?) Fergie (Oct 25)
- Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?) Sean Donelan (Oct 25)
- Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?) Per Heldal (Oct 26)
- Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?) Steven M. Bellovin (Oct 26)
- Re: BCP38 thread 93,871,738,435 Florian Weimer (Oct 26)
- Re: BCP38 thread 93,871,738,435 Steven M. Bellovin (Oct 26)
- Re: BCP38 thread 93,871,738,435 + SPF Douglas Otis (Oct 26)
- Re: BCP38 thread 93,871,738,435 + SPF Michael . Dillon (Oct 27)
- Re: BCP38 thread 93,871,738,435 + SPF Chris L. Morrow (Oct 27)
- Re: BCP38 thread 93,871,738,435 + SPF Michael . Dillon (Oct 27)
- Re: BCP38 thread 93,871,738,435 + SPF Chris L. Morrow (Oct 27)
- Re: BCP38 thread 93,871,738,435 + SPF Douglas Otis (Oct 27)
- Re: BCP38 thread 93,871,738,435 + SPF Gadi Evron (Oct 27)
- Re: BCP38 thread 93,871,738,435 + SPF Douglas Otis (Oct 29)
- Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?) Sean Donelan (Oct 25)