[164896] in North American Network Operators' Group
Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not
daemon@ATHENA.MIT.EDU (Matthew Petach)
Thu Aug 8 13:40:38 2013
In-Reply-To: <05D03AC0-0124-4C60-A0E7-04E1F9D4CAAD@puck.nether.net>
Date: Thu, 8 Aug 2013 10:40:19 -0700
From: Matthew Petach <mpetach@netflight.com>
To: Jared Mauch <jared@puck.nether.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Aug 8, 2013 at 10:29 AM, Jared Mauch <jared@puck.nether.net> wrote:
>
> On Aug 1, 2013, at 2:31 AM, Saku Ytti <saku@ytti.fi> wrote:
>
> > On (2013-07-31 17:07 -0700), bottiger wrote:
> >
> >> But realistically those 2 problems are not going to be solved any time
> >> in the next decade. I have tested 7 large hosting networks only one of
> >> them had BCP38.
> >
> > I wonder if it's truly that unrealistic. If we target access networks, it
> > seems impractical target.
> >
> > We have about 40k origin only ASNs and about 7k ASNs which offer transit,
> > who could arguably trivially ACL those 40k peers.
> >
> > If we truly tried, as a community to make deploying these ACLs easy and
> > actively reach out those 7k ASNs and offer help, would it be unrealistic
> to
> > have ACL deployed to sufficiently large portion of networks to make
> > spoofing impractical/expensive?
>
> The following is a sorted list from worst to best of networks that allow
> spoofing: (cutoff here is 25k)
>
> (full list -
> http://openresolverproject.org/full-spoofer-asn-list-201307.txt )
>
>
> Count ASN#
> ------------
> 1323950 3462
> 1300938 4134
> 1270046 8151
> 1213972 9737
...
For the technically clueless among us...
what does "count" refer to in this output?
How many times you were able to spoof
an address through them? How many
different addresses you could spoof through
them? How many spoofed packets made it
through before being blocked?
It's kinda hard to know what the list
represents without a bit of explanation
around it. ^_^;
Thanks! :)
Matt
