[191663] in North American Network Operators' Group
Re: Krebs on Security booted off Akamai network after DDoS attack
daemon@ATHENA.MIT.EDU (Ca By)
Sun Sep 25 11:13:29 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <1835846730.157.1474815704457.JavaMail.zimbra@baylink.com>
From: Ca By <cb.list6@gmail.com>
Date: Sun, 25 Sep 2016 08:13:24 -0700
To: "Jay R. Ashworth" <jra@baylink.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sunday, September 25, 2016, Jay R. Ashworth <jra@baylink.com> wrote:
> ----- Original Message -----
> > From: "Ca By" <cb.list6@gmail.com <javascript:;>>
>
> > On Sunday, September 25, 2016, Jay Farrell via NANOG <nanog@nanog.org
> <javascript:;>>
> > wrote:
> >
> >> And of course Brian Krebs has a thing or two to say, not the least is
> which
> >> to push for BCP38 (good luck with that, right?).
> >>
> >> https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/
> >
> > Yeh, bcp38 is not a viable solution.
> >
> > As long as their is one spoof capable network on the net, the problem
> will
> > not be solved. While bcp38 is a true bcp, it is not a solution. It will
> > not, and has not, moved the needle.
>
> No; things which are not implemented anywhere generally don't move the
> needle.
>
>
It is implemented many places in fact.
> You're confusing cause and effect here, I think.
>
>
I will argue you are confused.
> You give no evidence that *pervasive implementation of 38* would *not* move
> the needle, and that's where we are right now: we do not have anything that
> looks like "pervasive implementation".
>
> *Ten* people could solve this problem. Tomorrow.
>
> The chief engineers of the top 10 US eyeball providers could simply sit
> down
> and say "let's go do this thing". And better than 80% of the potential
> sources
> would just vanish off the face of the internet.
>
>
Assume every network in the usa implements bcp38.
This simply means no spoofs source from usa. Every packet is sent from the
usa using a valid origin.
Assume also 50% of networks in Europe and Asia and the Southern Hemisphere
do bcp38 too.
Great.
The result is the needle has not moved at all.
CC nodes in the non bcp38 locations will send spoofed packets destinations
is comcast and att with a source of krebs.
Result? Comcast and att cpe responds with crap to krebs. Ddos success
despite bcp38 in all of usa.
> Do I need to go do research, and name these 10 people? :-)
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth Baylink
> jra@baylink.com <javascript:;>
> Designer The Things I Think RFC
> 2100
> Ashworth & Associates http://www.bcp38.info 2000 Land
> Rover DII
> St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647
> 1274
>
