Spoofer Report for NANOG for Dec 2021
In response to feedback from operational security communities, CAIDA's source address validation measurement project (https://spoofer.caida.org) is automatically generating monthly reports of ASes originating prefixes in BGP for systems from which we received packets with a spoofed source address. We are publishing these reports to network and security operations lists in order to ensure this information reaches operational contacts in these ASes. This report summarises tests conducted within usa, can. Inferred improvements during Dec 2021: ASNName Fixed-By 54825 PACKET 2021-12-03 Further information for the inferred remediation is available at: https://spoofer.caida.org/remedy.php Source Address Validation issues inferred during Dec 2021: ASNName First-Spoofed Last-Spoofed 577BACOM 2016-03-09 2021-12-29 209CENTURYLINK-US-LEGACY-QWEST 2016-08-16 2021-12-30 20412 CLARITY-TELECOM 2016-09-30 2021-12-31 6181 FUSE-NET 2016-10-10 2021-12-27 11427 TWC-11427-TEXAS 2016-10-21 2021-12-24 32440 LONI 2016-11-03 2021-12-30 12083 WOW-INTERNET 2016-11-09 2021-12-22 1403 EBOX 2016-11-12 2021-12-08 22898 ATLINK2016-12-16 2021-12-28 54119 BOINGO-MDU2017-04-14 2021-12-30 701UUNET 2017-06-14 2021-12-04 63296 AWBROADBAND 2017-09-01 2021-12-28 546PARSONS-PGS-1 2017-11-20 2021-12-23 1 AKAMAI2018-02-14 2021-12-30 33452 RW2018-09-19 2021-12-31 62904 EONIX-COMMUNICATIONS-ASBLOCK-62019-07-14 2021-12-29 398836 NP-NETWORKS 2021-03-12 2021-12-31 56207 Converge 2021-03-26 2021-12-01 399318 2021-08-29 2021-12-27 63457 EMPIRE-CONNECT2021-09-08 2021-12-30 212934 AS_POTVIN 2021-10-03 2021-12-27 22773 ASN-CXA-ALL-CCI-22773-RDC 2021-10-24 2021-12-29 46449 ASTREA-NORTHWI-WESTUPMI 2021-11-07 2021-12-30 394437 PSLIGHTWAVE 2021-12-02 2021-12-27 62887 WHITESKY-COMMUNICATIONS 2021-12-03 2021-12-29 54201 WEWORK-MANAGEMENT-LLC 2021-12-16 2021-12-16 139247 2021-12-22 2021-12-22 46997 NATOLAB 2021-12-22 2021-12-29 5009 EATEL 2021-12-26 2021-12-26 4922 SHENTEL 2021-12-28 2021-12-28 Further information for these tests where we received spoofed packets is available at: https://spoofer.caida.org/recent_tests.php?country_include=usa,can_block=1 Please send any feedback or suggestions to spoofer-i...@caida.org
Re: Cloudflare Abuse Contact
On 07/01/2022 21:35, Töma Gavrichenkov wrote: I would try n...@cloudflare.com based on: https://www.peeringdb.com/net/4224 Regards, Hank Peace, On Fri, Jan 7, 2022 at 8:42 PM Mike Hale wrote: The abuse email sends an auto-responder that tells you to use the web form. The web form is centered around their web hosting business; I figured I'd try general, but you can't submit it without punching in a URL that is hosted by Cloudflare (and they validate it ... you can't do https://bogus.site). What I'm seeing is a ton of abusive DNS traffic that's causing some issues, and there's no abuse form that works for this scenario. Most probably, that means that the company doesn't have any counter abuse process whatsoever for requests like yours, so no matter where you push that, there won't be any action. Having said that, the aforementioned form accepts "https[: slash slash]cloudflare.com" as a valid URL so chances are requests to that URL are treated in the general sense. In the meantime, are you sure you'll be able to support your case with data? DNS is *mostly* a connection-less protocol, so how do you know these queries are coming from Cloudflare and not from a spoofed source? Lastly, have you tried to block the problematic Cloudflare IP range to see what would happen? E.g. does 1.1.1.1 still resolve your domains then, etc.? -- Töma
