[74897] in North American Network Operators' Group
Re: BCP38 making it work, solving problems
daemon@ATHENA.MIT.EDU (Mark Andrews)
Tue Oct 19 20:12:43 2004
Date: Wed, 20 Oct 2004 10:12:11 +1000 (EST)
From: Mark Andrews <Mark_Andrews@isc.org>
To: nanog@merit.edu
In-Reply-To: <20041019181111.GC47030@puck.nether.net>
Cc:
Errors-To: owner-nanog-outgoing@merit.edu
>dropped over it's 25 day uptime:
>
> RPF Failures: Packets: 34889152, Bytes: 12838806927
> RPF Failures: Packets: 4200, Bytes: 449923
> RPF Failures: Packets: 3066337401, Bytes: 122772518288
> RPF Failures: Packets: 30954487, Bytes: 3272647457
> RPF Failures: Packets: 4707582841, Bytes: 227001949225
> RPF Failures: Packets: 11291931, Bytes: 643099278
> RPF Failures: Packets: 291592413, Bytes: 20642951232
> RPF Failures: Packets: 380355, Bytes: 22616137
> RPF Failures: Packets: 607543, Bytes: 31687907
> RPF Failures: Packets: 0, Bytes: 0
> RPF Failures: Packets: 91, Bytes: 6978
> RPF Failures: Packets: 0, Bytes: 0
> RPF Failures: Packets: 0, Bytes: 0
> RPF Failures: Packets: 2, Bytes: 80
> RPF Failures: Packets: 13904, Bytes: 1093686
>
> this means the junk isn't reaching root servers, peers, or
>our customers. mitigating the need to carry this traffic when it
>is of (virtually) no use.
>
And those you do see it indicates a misconfigured / compromised
system.
A compromised system that is sending spoofed traffic can
also launch attacks using regular traffic. Think of this
as a early warning system.
The same with those ISP's that block outbound port 25.
Think of it as a early warning system. The customer is
misconfigured or compromised. You need to find out which.
[This is not to say that I agree with the practice of blocking
port 25]
Apply the same logic to anything else you filter outbound.
