On 10/2/2014 6:10 AM, Mikael Abrahamsson wrote:
Hi,
To fix a lot of the DDOS attacks going on, we need to make sure BCP38
compliance goes up. Only way to do this I can think of, is large scale
BCP38 testing. One way of doing this, is to have large projects such
as OpenWRT, RIPE Atlas project, perhaps even CPE vendors, implement
something that would spoof 1 packet per day or something to a known
destination, and in this packet the "real" source address of the
packet is included.
I have been getting pushback from people that this might be "illegal".
Could anyone please tell me what's illegal about trying to send a
packet with a random source address?
If we can get consensus in the operational world that this is actually
ok, would that help organisations to implement this kind of testing. I
could see vendors implement a test like "help verify network stability
and compliance, these tests are anonymous" checkbox during the initial
install, or something like this.
Why isn't this being done? Why are we complaining about 300 gigabit/s
DDOS attacks, asking people to fix their open resolvers, NTP servers
etc, when the actual culprit is that some networks in the world don't
implement BCP38?
A lot of the discussion on BCP38 seems to be around providers who are
unintentionally allowing IP spoofing.
What about providers who knowingly allow IP spoofing, because it's
profitable?
There's a provider that basically caters to the DDOS-as-a-service
industry by selling servers with unmetered connections, where they allow
IP spoofing. (If you've ever looked into this at all, you know exactly
who I'm talking about).
