nanog mailing list archives

Re: BCP38 tester?

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Mon, 1 Apr 2013 07:24:07 +0000


On Apr 1, 2013, at 1:31 PM, Jimmy Hess wrote:

If your packet source address is clamped, then, by definition a host can't spoof a packet, right;  so maybe that's 
not a host that needs to
be tested further  (the upstream provider might still have no BCP38, it's just not exposed to that particular host).


Folks should implement anti-spoofing southbound of their NATs, using uRPF, ACLs, IP Source Guard, Cable IP Source 
Verify, or whatever, in order to keep botted hosts attempting to launch outbound/crossbound spoofed DDoS attacks (such 
as spoofed SYN-floods) from filling up the NAT translation-table and making it fall over, thus creating an outage for 
everything behind the NAT.  I've seen this happen many times, especially in the mobile/fixed wireless space.

Likewise, they should implement anti-spoofing northbound, eastbound, and westbound of the NAT (eastbound and westbound 
assume it's a network of some scope), so that nothing else on their networks can send spoofed packets to external 
networks.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton

Current thread:

Re: BCP38 tester? Dobbins, Roland (Apr 01)
- <Possible follow-ups>
- Re: BCP38 tester? Karl Auer (Apr 01)
  - Re: BCP38 tester? Dobbins, Roland (Apr 01)
  - Re: BCP38 tester? Jimmy Hess (Apr 01)
    - Re: BCP38 tester? Jay Ashworth (Apr 01)
    - Re: BCP38 tester? Matt Palmer (Apr 01)
    - Re: BCP38 tester? Jimmy Hess (Apr 02)
    - Re: BCP38 tester? Jay Ashworth (Apr 02)
  - Re: BCP38 tester? Alain Hebert (Apr 01)
    - Re: BCP38 tester? Valdis . Kletnieks (Apr 01)
    - Re: BCP38 tester? Alain Hebert (Apr 01)

(Thread continues...)