On 10/02/14 08:37, Roland Dobbins wrote:
> On Oct 2, 2014, at 7:16 PM, Alain Hebert <[email protected]> wrote:
>
>> BCP38 compliance is the exception not the norm.
> I'm not sure that's actually the case, practically-speaking.
>
> NAT is an awful thing for many reasons, and it's negative in terms of its
> overall impact on security, but there's one actual benefit from it; it is
> effectively a form of anti-spoofing.
>
> The prevalence of NAT on consumer broadband access networks means that those
> networks do not generally emit spoofed packets. The same goes for many SME
> networks, even though they oughtn't to be running NAT in front of their
> servers.
You are right on that point, I keep forgetting about the little man :(
My mindset was set on DDoS and not C&C/SPAM/etc.
> My guess is that the majority, if not all, of the reflection/amplification
> attacks we see are actually initiated from servers under the control of
> attackers and residing on hosting/co-location IDC networks which don't
> enforce anti-spoofing at the access, distribution, or peering/transit
> portions of their topologies. Some of these servers are tied into so-called
> 'booter' systems, whereas others are linked into more conventional C&C under
> the direct control of attackers, while still others are utilized to launch
> attacks 'by hand', as it were.
We had the same experience where you get a 1Mbps steam of DDoS
amplification start on the 15th and end abruptly on the 30th at 23h55m
(CC report cycle/reject is often around 15 days). Then on the 5th and
end 15 days later... for a few month in a row.
> Those networks are unmanaged and are likely to remain so (or are so-called
> 'bulletproof' networks catering to criminals). Their peers/upstream transits
> likewise are not enforcing anti-spoofing on ingress, nor are they monitoring
> traffic originating from these networks as it ingresses their own networks
> (and in any event, the traffic volume of the spoofed packets on the attack
> source - reflector/amplifier leg is relatively small).
>
> So, the problem is that those networks which are likely to implement the
> various topologically-appropriate at the various edges of their network are
> likely to have done so. And by definition, the endpoint networks where the
> spoofed traffic originates aren't likely to do so, nor are their immediate
> peers/upstream transits - or they would've done so long ago.
>
> ----------------------------------------------------------------------
> Roland Dobbins <[email protected]> // <http://www.arbornetworks.com>
>
> Equo ne credite, Teucri.
>
> -- Laocoön
