nanog mailing list archives
Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey
From: Mike Hammett <nanog () ics-il net>
Date: Sun, 25 Sep 2016 11:57:00 -0500 (CDT)
You don't need complete adoption to reduce the attacks. If ASes representing 25% of the current spoofed traffic implemented BCP38, then guess what, there's 25% less of an attack. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Ca By" <cb.list6 () gmail com> To: "Jay R. Ashworth" <jra () baylink com> Cc: "North American Network Operators' Group" <nanog () nanog org> Sent: Sunday, September 25, 2016 10:13:24 AM Subject: Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey On Sunday, September 25, 2016, Jay R. Ashworth <jra () baylink com> wrote:
----- Original Message -----From: "Ca By" <cb.list6 () gmail com <javascript:;>>On Sunday, September 25, 2016, Jay Farrell via NANOG <nanog () nanog org<javascript:;>>wrote:And of course Brian Krebs has a thing or two to say, not the least iswhichto push for BCP38 (good luck with that, right?). https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/Yeh, bcp38 is not a viable solution. As long as their is one spoof capable network on the net, the problemwillnot be solved. While bcp38 is a true bcp, it is not a solution. It will not, and has not, moved the needle.No; things which are not implemented anywhere generally don't move the needle.
It is implemented many places in fact.
You're confusing cause and effect here, I think.
I will argue you are confused.
You give no evidence that *pervasive implementation of 38* would *not* move the needle, and that's where we are right now: we do not have anything that looks like "pervasive implementation". *Ten* people could solve this problem. Tomorrow. The chief engineers of the top 10 US eyeball providers could simply sit down and say "let's go do this thing". And better than 80% of the potential sources would just vanish off the face of the internet.
Assume every network in the usa implements bcp38. This simply means no spoofs source from usa. Every packet is sent from the usa using a valid origin. Assume also 50% of networks in Europe and Asia and the Southern Hemisphere do bcp38 too. Great. The result is the needle has not moved at all. CC nodes in the non bcp38 locations will send spoofed packets destinations is comcast and att with a source of krebs. Result? Comcast and att cpe responds with crap to krebs. Ddos success despite bcp38 in all of usa.
Do I need to go do research, and name these 10 people? :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra () baylink com <javascript:;> Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Current thread:
- BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ], (continued)
- BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ] Hugo Slabbert (Sep 25)
- Re: BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ] Valdis . Kletnieks (Sep 26)
- Re: BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ] Vincent Bernat (Sep 26)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mark Milhollan (Sep 26)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Royce Williams (Sep 26)
- Message not available
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey John Kristoff (Sep 26)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Ca By (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mike Hammett (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jay R. Ashworth (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Ca By (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mike Hammett (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey John Levine (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Ca By (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey John R. Levine (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Hugo Slabbert (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey John Levine (Sep 26)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mark Andrews (Sep 26)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Livingood, Jason (Sep 26)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mark Andrews (Sep 26)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mark Andrews (Sep 26)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Christopher Morrow (Sep 26)