nanog mailing list archives

Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Thu, 26 Oct 2006 09:33:24 -0400


On Thu, 26 Oct 2006 02:20:48 -0400 (EDT), Sean Donelan <sean () donelan com>
wrote:


The only data I have is from the MIT anti-spoofing test project which
has been pretty consistent for a long time.  About 75%-80% of the nets, 
addressses, ASNs tests couldn't spoof, and about 20%-25% could.

The geo-location maps don't show much difference between parts of
the world.  RIPE countries don't seem to be better or worse than ARIN
countries or APNIC countries or so on.  ISPs on every continent seem
to be about the same.

http://spoofer.csail.mit.edu/summary.php

If someone finds the silver bullet that will change the remaining 25% or
so of networks, I think ISPs on every continent would be interested.


That would be nice -- but I wonder how much operational impact that would
have.

As you note, the 20-25% figure (of addresses) has been pretty constant
for quite a while.  Assuming that subverted machines are uniformly
distributed (a big assumption) and assuming that their methodology is
valid (another big assumption), that means we've already knocked out the
75-80% of the sources of spoofed IP address attacks.  Has anyone seen a
commensurate reduction in DDoS attacks?  I sure haven't heard of that.
Are people saying that the problem would be several times worse if
anti-spoofing weren't in place?  As best I can tell, the limiting factor
on attack rates isn't the lack of sources but the lack of a profit motive
for launching the attacks.

Put another way, anti-spoofing does three things: it makes reflector
attacks harder, it makes it easier to use ACLs to block sources, and it
helps people track down the bot and notify the admin. Are people actually
successfully doing either of the latter two?  I'd be surprised if there
were much of either.  That leaves reflector attacks.  Are those that large
a portion of the attacks people are seeing?

I agree that anti-spoofing is a good idea, and I've said so for a long
time.  I was one of the people who insisted that AT&T do it, way back
when.  But I'm not convinced it's a major factor here.


                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Current thread:

Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?) Fergie (Oct 25)
- Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?) Sean Donelan (Oct 25)
  - Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?) Per Heldal (Oct 26)
  - Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?) Steven M. Bellovin (Oct 26)
    - Re: BCP38 thread 93,871,738,435 Florian Weimer (Oct 26)
    - Re: BCP38 thread 93,871,738,435 Steven M. Bellovin (Oct 26)
    - Re: BCP38 thread 93,871,738,435 + SPF Douglas Otis (Oct 26)
    - Re: BCP38 thread 93,871,738,435 + SPF Michael . Dillon (Oct 27)
    - Re: BCP38 thread 93,871,738,435 + SPF Chris L. Morrow (Oct 27)
    - Re: BCP38 thread 93,871,738,435 + SPF Michael . Dillon (Oct 27)
    - Re: BCP38 thread 93,871,738,435 + SPF Chris L. Morrow (Oct 27)
    - Re: BCP38 thread 93,871,738,435 + SPF Douglas Otis (Oct 27)
    - Re: BCP38 thread 93,871,738,435 + SPF Gadi Evron (Oct 27)
    - Re: BCP38 thread 93,871,738,435 + SPF Douglas Otis (Oct 29)

(Thread continues...)