[174819] in North American Network Operators' Group
Re: large BCP38 compliance testing
daemon@ATHENA.MIT.EDU (Brian Rak)
Thu Oct 2 14:24:26 2014
X-Original-To: nanog@nanog.org
Date: Thu, 02 Oct 2014 14:24:18 -0400
From: Brian Rak <brak@gameservers.com>
To: Mikael Abrahamsson <swmike@swm.pp.se>, nanog@nanog.org
In-Reply-To: <alpine.DEB.2.02.1410021206100.14735@uplift.swm.pp.se>
Errors-To: nanog-bounces@nanog.org
On 10/2/2014 6:10 AM, Mikael Abrahamsson wrote:
>
> Hi,
>
> To fix a lot of the DDOS attacks going on, we need to make sure BCP38
> compliance goes up. Only way to do this I can think of, is large scale
> BCP38 testing. One way of doing this, is to have large projects such
> as OpenWRT, RIPE Atlas project, perhaps even CPE vendors, implement
> something that would spoof 1 packet per day or something to a known
> destination, and in this packet the "real" source address of the
> packet is included.
>
> I have been getting pushback from people that this might be "illegal".
> Could anyone please tell me what's illegal about trying to send a
> packet with a random source address?
>
> If we can get consensus in the operational world that this is actually
> ok, would that help organisations to implement this kind of testing. I
> could see vendors implement a test like "help verify network stability
> and compliance, these tests are anonymous" checkbox during the initial
> install, or something like this.
>
> Why isn't this being done? Why are we complaining about 300 gigabit/s
> DDOS attacks, asking people to fix their open resolvers, NTP servers
> etc, when the actual culprit is that some networks in the world don't
> implement BCP38?
>
A lot of the discussion on BCP38 seems to be around providers who are
unintentionally allowing IP spoofing.
What about providers who knowingly allow IP spoofing, because it's
profitable?
There's a provider that basically caters to the DDOS-as-a-service
industry by selling servers with unmetered connections, where they allow
IP spoofing. (If you've ever looked into this at all, you know exactly
who I'm talking about).
