Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

[Mike Hammett <nanog () ics-il net>]

You don't need complete adoption to reduce the attacks. If ASes representing 25% of the current spoofed traffic 
implemented BCP38, then guess what, there's 25% less of an attack. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Ca By" <cb.list6 () gmail com> 
To: "Jay R. Ashworth" <jra () baylink com> 
Cc: "North American Network Operators' Group" <nanog () nanog org> 
Sent: Sunday, September 25, 2016 10:13:24 AM 
Subject: Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey 

On Sunday, September 25, 2016, Jay R. Ashworth <jra () baylink com> wrote: 

> ----- Original Message ----- 
> > From: "Ca By" <cb.list6 () gmail com <javascript:;>> 
>
> > On Sunday, September 25, 2016, Jay Farrell via NANOG <nanog () nanog org 
> <javascript:;>> 
> > wrote: 
> >
> > > And of course Brian Krebs has a thing or two to say, not the least is 
> which 
> > > to push for BCP38 (good luck with that, right?). 
> > >
> > > https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ 
> >
> > Yeh, bcp38 is not a viable solution. 
> >
> > As long as their is one spoof capable network on the net, the problem 
> will 
> > not be solved. While bcp38 is a true bcp, it is not a solution. It will 
> > not, and has not, moved the needle. 
>
> No; things which are not implemented anywhere generally don't move the 
> needle. 
It is implemented many places in fact. 


> You're confusing cause and effect here, I think. 
I will argue you are confused. 


> You give no evidence that *pervasive implementation of 38* would *not* move 
> the needle, and that's where we are right now: we do not have anything that 
> looks like "pervasive implementation". 
>
> *Ten* people could solve this problem. Tomorrow. 
>
> The chief engineers of the top 10 US eyeball providers could simply sit 
> down 
> and say "let's go do this thing". And better than 80% of the potential 
> sources 
> would just vanish off the face of the internet. 
Assume every network in the usa implements bcp38. 

This simply means no spoofs source from usa. Every packet is sent from the 
usa using a valid origin. 

Assume also 50% of networks in Europe and Asia and the Southern Hemisphere 
do bcp38 too. 

Great. 

The result is the needle has not moved at all. 

CC nodes in the non bcp38 locations will send spoofed packets destinations 
is comcast and att with a source of krebs. 

Result? Comcast and att cpe responds with crap to krebs. Ddos success 
despite bcp38 in all of usa. 





> Do I need to go do research, and name these 10 people? :-) 
>
> Cheers, 
> -- jra 
> -- 
> Jay R. Ashworth Baylink 
> jra () baylink com <javascript:;> 
> Designer The Things I Think RFC 
> 2100 
> Ashworth & Associates http://www.bcp38.info 2000 Land 
> Rover DII 
> St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 
> 1274