[169138] in North American Network Operators' Group
Re: Permitting spoofed traffic [Was: Re: ddos attack blog]
daemon@ATHENA.MIT.EDU (Joe Provo)
Fri Feb 14 19:10:10 2014
Date: Fri, 14 Feb 2014 19:09:46 -0500
From: Joe Provo <nanog-post@rsuc.gweep.net>
To: nanog list <nanog@nanog.org>
In-Reply-To: <52FE63AF.8010800@mykolab.com>
Reply-To: nanog-post@rsuc.gweep.net
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, Feb 14, 2014 at 10:42:55AM -0800, Paul Ferguson wrote:
[snip]
> Taken to the logical extreme, the "right thing" to do is to deny any
> spoofed traffic from abusing these services altogether. NTP is not the
> only one; there is also SNMP, DNS, etc.
...and then we're back to "implement BCP38 already!" (like one of
the authors of the document didn't think of that, ferg? ;-)
NB: Some Entities believe all filtering is 'bcp 38' and thus have
given this stone-dead logical and sane practice a bad rap. If
someone is sloppy with their IRR-based filters or can't drive loose
RPF correctly, that isn't the fault of BCP38.
The document specifically speaks to aggregation points, most clearly
in the introduction:
"In other words, if an ISP is aggregating routing announcements
for multiple downstream networks, strict traffic filtering should
be used to prohibit traffic which claims to have originated from
outside of these aggregated announcements."
This goes for access, hosting, and most recently virtual hosting
in teh cloude. Stop forgery at your edges and your life will be
easier.
Cheers,
Joe
--
RSUC / GweepNet / Spunk / FnB / CotSG / Usenix / NANOG
