[174805] in North American Network Operators' Group
Re: large BCP38 compliance testing
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Thu Oct 2 08:38:14 2014
X-Original-To: nanog@nanog.org
From: Roland Dobbins <rdobbins@arbor.net>
In-Reply-To: <542D4239.1020203@pubnix.net>
Date: Thu, 2 Oct 2014 19:37:55 +0700
To: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Oct 2, 2014, at 7:16 PM, Alain Hebert <ahebert@pubnix.net> wrote:
> BCP38 compliance is the exception not the norm.
I'm not sure that's actually the case, practically-speaking.
NAT is an awful thing for many reasons, and it's negative in terms of =
its overall impact on security, but there's one actual benefit from it; =
it is effectively a form of anti-spoofing.
The prevalence of NAT on consumer broadband access networks means that =
those networks do not generally emit spoofed packets. The same goes for =
many SME networks, even though they oughtn't to be running NAT in front =
of their servers.
My guess is that the majority, if not all, of the =
reflection/amplification attacks we see are actually initiated from =
servers under the control of attackers and residing on =
hosting/co-location IDC networks which don't enforce anti-spoofing at =
the access, distribution, or peering/transit portions of their =
topologies. Some of these servers are tied into so-called 'booter' =
systems, whereas others are linked into more conventional C&C under the =
direct control of attackers, while still others are utilized to launch =
attacks 'by hand', as it were.
Those networks are unmanaged and are likely to remain so (or are =
so-called 'bulletproof' networks catering to criminals). Their =
peers/upstream transits likewise are not enforcing anti-spoofing on =
ingress, nor are they monitoring traffic originating from these networks =
as it ingresses their own networks (and in any event, the traffic volume =
of the spoofed packets on the attack source - reflector/amplifier leg is =
relatively small).
So, the problem is that those networks which are likely to implement the =
various topologically-appropriate at the various edges of their network =
are likely to have done so. And by definition, the endpoint networks =
where the spoofed traffic originates aren't likely to do so, nor are =
their immediate peers/upstream transits - or they would've done so long =
ago.=20
----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laoco=F6n
