[162013] in North American Network Operators' Group
Re: BCP38 tester?
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Mon Apr 1 03:24:24 2013
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Mon, 1 Apr 2013 07:24:07 +0000
In-Reply-To: <CAAAwwbUB-8G==ZzCtn_C5Yncd_t2==KNT_POZFdVPHW9BLS55g@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 1, 2013, at 1:31 PM, Jimmy Hess wrote:
> If your packet source address is clamped, then, by definition a host can'=
t spoof a packet, right; so maybe that's not a host that needs to
> be tested further (the upstream provider might still have no BCP38, it's=
just not exposed to that particular host).
Folks should implement anti-spoofing southbound of their NATs, using uRPF, =
ACLs, IP Source Guard, Cable IP Source Verify, or whatever, in order to kee=
p botted hosts attempting to launch outbound/crossbound spoofed DDoS attack=
s (such as spoofed SYN-floods) from filling up the NAT translation-table an=
d making it fall over, thus creating an outage for everything behind the NA=
T. I've seen this happen many times, especially in the mobile/fixed wirele=
ss space.
Likewise, they should implement anti-spoofing northbound, eastbound, and we=
stbound of the NAT (eastbound and westbound assume it's a network of some s=
cope), so that nothing else on their networks can send spoofed packets to e=
xternal networks.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
