On 2013-03-31, at 9:43 PM, Peter Baldridge <[email protected]> wrote:
> I can assume that If you are spoofing packets, resetting passwords on cpe and > replacing the box would be trivial. So it's questionable how useful this is. > It seems like it just adds cost to for customers that can't spoof a packet > to save their lives. Maybe it's useful for the people who have no idea that their computers are infected by bots that spoof packets. > On Mar 31, 2013 6:37 PM, "Jason Lixfeld" <[email protected]> wrote: > > On 2013-03-31, at 10:48 AM, Jay Ashworth <[email protected]> wrote: > > > Is there a program which users can run on an end-site workstation which > > would test whether they are being some link which is doing BCP38, or some > > related type of source-address ingress filtering? > > > > I'm hoping for something that could be downloaded by users and run, and > > try to forge a few packets to somewhere useful, which could be logged > > somehow in conjunction with some unforged packets containing a traceroute, > > so we could build up a database of leaky networks. > > > > On a related topic, while I know GRC Research's Steve Gibson is a bit of > > a polarizing personality, he does have a fairly sizable consumer audience, > > and might be a great distribution venue for such a thing. > > > > Or, perhaps, is there someone on here from Ookla? > > > > Patrick? Could Akamai be persuaded to take an interest in this as a > > research project? > > > From my perspective, 99% of end-users probably don't understand (or care) > that their provider might be responsible for initiating or precipitating a > DDoS attacks, period. Most network operators are probably either too > inexperienced to understand or too lazy to care. > > I believe that most everyone has a CPE of some sort, whether their service is > resi or commercial. So, what about shifting the focus to the CPE > manufacturers? They bend to technology and/or market pressures by bringing > things like NAT, Firewalls, DLNA, UPnP, IPv6 (heh), PPPoE, RFC1483, etc. to > their respective products in to satisfy technology limitations or security > concerns or whatever. Why can't they help the cause by implementing some > sort of RFC'ified BCP38 thing?
