On Apr 1, 2013, at 1:31 PM, Jimmy Hess wrote: > If your packet source address is clamped, then, by definition a host can't > spoof a packet, right; so maybe that's not a host that needs to > be tested further (the upstream provider might still have no BCP38, it's > just not exposed to that particular host).
Folks should implement anti-spoofing southbound of their NATs, using uRPF, ACLs, IP Source Guard, Cable IP Source Verify, or whatever, in order to keep botted hosts attempting to launch outbound/crossbound spoofed DDoS attacks (such as spoofed SYN-floods) from filling up the NAT translation-table and making it fall over, thus creating an outage for everything behind the NAT. I've seen this happen many times, especially in the mobile/fixed wireless space. Likewise, they should implement anti-spoofing northbound, eastbound, and westbound of the NAT (eastbound and westbound assume it's a network of some scope), so that nothing else on their networks can send spoofed packets to external networks. ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
