I'd expect the Colo's to start "locking this down" about the same time
I'd expect ISP's to start implementing BCP38 in earnest.
Adam
------ Original Message ------
From: "Dovid Bender" <do...@telecurve.com>
To: "Damian Menscher" <dam...@google.com>
Cc: "Mody, Nirmal" <nirmal_m...@cable.comcast.com>; "NANOG list"
<nanog@nanog.org>
Sent: 2/26/2016 3:43:34 PM
Subject: Re: Thank you, Comcast.
Lawsuits? There is no reason the dedicated server I have with a 100meg
pipe for $65.00 per month is able to spoof IP's. The colo's should be
doing a better job to lock this down.
Regards,
Dovid
-----Original Message-----
From: Damian Menscher <dam...@google.com>
Date: Fri, 26 Feb 2016 11:47:43
To: Dovid B<do...@telecurve.com>
Cc: Jared Mauch<ja...@puck.nether.net>; Jason
Livingood<jason_living...@cable.comcast.com>; Mody,
Nirmal<nirmal_m...@cable.comcast.com>; NANOG list<nanog@nanog.org>
Subject: Re: Thank you, Comcast.
"We all know..." followed by a false statement is amusing.
A significant portion of spoofing originates from North America. In a
recent attack I'm reviewing, the top sources of spoofing were the
southwestern US, the northwestern US, and east Asia (and almost none
from
Europe).
If ISPs understood how to collect and review netflow we might get
somewhere... why is this so hard, and how do we fix it?
Damian
On Fri, Feb 26, 2016 at 10:48 AM, Dovid Bender <do...@telecurve.com>
wrote:
We all know what countries this traffic is coming from. While you can
threaten the local ISP's the ones over seas where the traffic is
coming
from won't care.
Regards,
Dovid
-----Original Message-----
From: Damian Menscher via NANOG <nanog@nanog.org>
Sender: "NANOG" <nanog-boun...@nanog.org>Date: Fri, 26 Feb 2016
08:02:52
To: Jared Mauch<ja...@puck.nether.net>; Jason Livingood<
jason_living...@cable.comcast.com>; Mody, Nirmal<
nirmal_m...@cable.comcast.com>
Reply-To: Damian Menscher <dam...@google.com>
Cc: NANOG list<nanog@nanog.org>
Subject: Re: Thank you, Comcast.
On Fri, Feb 26, 2016 at 6:28 AM, Jared Mauch <ja...@puck.nether.net>
wrote:
> As a community we need to determine if this background radiation
and
these
> responses are proper. I think it's a good response since vendors
can't do
> uRPF at line rate and the major purchasers of BCM switches don't
ask for
it
> and aren't doing it, so it's not optimized or does not exist. /sigh
>
I don't agree with the approach of going after individual reflectors
(open*project) or blocking specific ports (Comcast's action here) as
both
are reactive, unlikely to be particularly effective (there are still
millions of reflectors and plenty of open ports available), and don't
solve
the root problem (spoofed packets making it onto the public
internet).
What I'd much rather see Comcast do is use their netflow to trace the
source of the spoofed packets (one of their peers or transit
providers, no
doubt) and strongly encourage (using their legal or PR team as
needed) them
to trace back and stop the spoofing. This benefits everyone in a
much more
direct and scalable way. Until some of the larger providers start
doing
that, amplification attacks and other spoofed-source attacks (DNS and
synfloods) will continue to thrive.
(I've contacted several ISPs about the spoofed traffic they send to
us.
The next major hurdle is that so many don't have netflow or other
useful
monitoring of their networks....)
Damian