[52699] in North American Network Operators' Group
Re: Who does source address validation? (was Re: what's that smell?)
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Oct 8 17:24:08 2002
To: Iljitsch van Beijnum <iljitsch@muada.com>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Tue, 08 Oct 2002 22:57:42 +0200."
<20021008225349.S85622-100000@sequoia.muada.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 08 Oct 2002 17:23:36 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1252429936P
Content-Type: text/plain; charset=us-ascii
On Tue, 08 Oct 2002 22:57:42 +0200, Iljitsch van Beijnum said:
> Ok, but how do you generate megabits worth of traffic for which there is
> no return traffic? At some level, someone or something must be trying to
> do something _really hard_ but keep failing every time. It just doesn't
> make sense.
Imagine if you will the following config:
(pipe to ISP) +------+ DMZ 10.1.1/24 +-----+ internal 192.68.1/22
===============|router|----------------| NAT |-------
+------+ +-----+
Now give the router a default route to the ISP - and then screw the NAT
config up so 198.68.1 packets show up on the DMZ. Or have something catch
a broken RIP announcement.. or any number of stupid things. Whoosh, instant
money for the ISP.. ;)
Last April (2001), while worrying about the NTP buffer overflow, we ran
a trace to see where NTP packets were going. In a 10 minute span, we
caught no less than 6 packets looking for an address that had been a
stratum-2 server - 11 years previously.
They've probably generated megabits of data for so long that they don't
even realize there's a problem. The perpetrators have retired or moved on,
and the incumbent admins don't see anything anomalous since it's always been
that way. Remember - the sort of admin that's not clued enough to get his
NAT to behave is probably the sort that wouldn't know how to run a network
monitor on his outbound pipe either. Lots of unclued admins out there...
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
--==_Exmh_1252429936P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE9o0zYcC3lWbTT17ARAhRkAJ0afThB8BnE8CBpV/8Lm8iZj9czOQCgrgGZ
F/DPBBqHvPMCzA1c9iiUzkY=
=mrK+
-----END PGP SIGNATURE-----
--==_Exmh_1252429936P--
