nanog mailing list archives

Re: large BCP38 compliance testing

From: Alain Hebert <ahebert () pubnix net>
Date: Thu, 02 Oct 2014 08:16:57 -0400

On 10/02/14 06:10, Mikael Abrahamsson wrote:


Hi,

To fix a lot of the DDOS attacks going on, we need to make sure BCP38
compliance goes up. Only way to do this I can think of, is large scale
BCP38 testing. One way of doing this, is to have large projects such
as OpenWRT, RIPE Atlas project, perhaps even CPE vendors, implement
something that would spoof 1 packet per day or something to a known
destination, and in this packet the "real" source address of the
packet is included.


    A proof of concept could be as simple as a basic BCP38 test
implemented into the OpenWRT/DD-WRT UI.

I have been getting pushback from people that this might be "illegal".
Could anyone please tell me what's illegal about trying to send a
packet with a random source address?


    You could reserve yourself an IP address in a subnet you own and use
that as a source IP for testing.

If we can get consensus in the operational world that this is actually
ok, would that help organisations to implement this kind of testing. I
could see vendors implement a test like "help verify network stability
and compliance, these tests are anonymous" checkbox during the initial
install, or something like this.


In short:

    . Test Client call the BCP38 Test Server for a Token;
    . Test Client send a test packet with that token in the payload;
    . Test Client call the BCP38 Test Server with the Token and the
server returns pass of fail which is displayed back in the CPE UI;

    While being over simplified, BCP38.org has some perl scripts from
last year NTP DDoS rush that actually does part of this.
   
    If the initial proof of concept get traction, a more complete BCP38
test set can be implemented, there is a few projects out there that
could be approached for it.

Why isn't this being done? Why are we complaining about 300 gigabit/s
DDOS attacks, asking people to fix their open resolvers, NTP servers
etc, when the actual culprit is that some networks in the world don't
implement BCP38?


    "most networks in the world"

    BCP38 compliance is the exception not the norm.

    PS: About that uRPF Convo, we could dump all that knowledges into
lets say... some comprehensive wiki page maybe =D  That way when the
topic arise we could just link to it.

Current thread:

large BCP38 compliance testing Mikael Abrahamsson (Oct 02)
- Re: large BCP38 compliance testing Mikael Abrahamsson (Oct 02)
- Re: large BCP38 compliance testing Nick Hilliard (Oct 02)
  - Re: large BCP38 compliance testing Jérôme Nicolle (Oct 02)
    - Re: large BCP38 compliance testing Barry Greene (Oct 02)
    - Re: large BCP38 compliance testing Nick Hilliard (Oct 02)
  - Re: large BCP38 compliance testing Andrei Robachevsky (Oct 02)
- Re: large BCP38 compliance testing Alain Hebert (Oct 02)
  - Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
    - Re: large BCP38 compliance testing Alain Hebert (Oct 02)
    - Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
    - Re: large BCP38 compliance testing Jared Mauch (Oct 02)
  - Re: large BCP38 compliance testing Jay Ashworth (Oct 03)
    - Re: large BCP38 compliance testing Alain Hebert (Oct 06)
    - Re: large BCP38 compliance testing Jay Ashworth (Oct 12)
- Re: large BCP38 compliance testing Valdis . Kletnieks (Oct 02)
  - Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
  - Re: large BCP38 compliance testing Jimmy Hess (Oct 05)

(Thread continues...)