[169140] in North American Network Operators' Group
Re: Permitting spoofed traffic [Was: Re: ddos attack blog]
daemon@ATHENA.MIT.EDU (Paul Ferguson)
Fri Feb 14 21:08:49 2014
Date: Fri, 14 Feb 2014 18:07:07 -0800
From: Paul Ferguson <fergdawgster@mykolab.com>
To: nanog-post@rsuc.gweep.net
In-Reply-To: <20140215000946.GA58005@gweep.net>
Cc: nanog list <nanog@nanog.org>
Reply-To: fergdawgster@mykolab.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 2/14/2014 4:09 PM, Joe Provo wrote:
> On Fri, Feb 14, 2014 at 10:42:55AM -0800, Paul Ferguson wrote:
> [snip]
>> Taken to the logical extreme, the "right thing" to do is to deny
>> any spoofed traffic from abusing these services altogether. NTP
>> is not the only one; there is also SNMP, DNS, etc.
>
> ...and then we're back to "implement BCP38 already!" (like one of
> the authors of the document didn't think of that, ferg? ;-)
>
> NB: Some Entities believe all filtering is 'bcp 38' and thus have
> given this stone-dead logical and sane practice a bad rap. If
> someone is sloppy with their IRR-based filters or can't drive loose
> RPF correctly, that isn't the fault of BCP38.
>
> The document specifically speaks to aggregation points, most
> clearly in the introduction: "In other words, if an ISP is
> aggregating routing announcements for multiple downstream networks,
> strict traffic filtering should be used to prohibit traffic which
> claims to have originated from outside of these aggregated
> announcements."
>
> This goes for access, hosting, and most recently virtual hosting in
> teh cloude. Stop forgery at your edges and your life will be
> easier.
>
Indeed -- I'm not in the business of bit-shipping these days, so I
can't endorse or advocate any particular method of blocking spoofed IP
packets in your gear.
I can, however, say with confidence that it is still a good idea.
Great idea, even. :-)
- - ferg
- --
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlL+y8sACgkQKJasdVTchbKTXAEA0/czP0ECsFX4CyUr6yt4Dkap
D0NZT/UIo6h5E/dl0KEA/3hpxN2NLxZRix6JUTVHyv+LZ4RzgpG2myoXbgAq1+WS
=QQjA
-----END PGP SIGNATURE-----
