Anti-spoofing: is anyone doing it?

Hank Nussbacher hank at
Sun May 27 05:44:39 UTC 2001

I have recently been researching anti-spoofing for two ISPs and have an 
operational question or two.

We have found that about 5% of sites are connected to 2 ISPs but do not use 
BGP.  They use two different sets of IP addresses and point default to one 
of the two ISPs.  The return traffic will of course go to them via one of 
the two ISPs, but if you have anti-spoofing filters set up or try to set it 
up now, you will break their outgoing traffic.

Reasons to allow it:

1) Here we have multihomed customers, who are not eating up ASN space and 
are not asking for PI space and are happy the way they are working.  By 
stopping them, we will force this 5% to ask for ASNs and PI space.  So for 
the general well-being of the Internet - why not just let them be.
2) Anti-spoofing is set up to stop attacks from unknown IPs (RFC1918) or 
from an IP that doesn't belong to you.  In this case, the IP can be traced 
back to the user (via ISP #2).
3) If you block it, the customer will leave and go to another ISP that does 
not block these IP addresses.

Reasons to not allow it:

1) If ISP #1 has blocked the customer due to being an open mail relay 
(example), and then that customer just sends the traffic out via ISP #2 
(using ISP #1 IPs), they have circumvented the filter and blame will be 
placed on ISP #1 for not stopping an open email relay (this has actually 
happened once before).
2) I should not be announcing traffic for IPs that I am not announcing 
routing updates.

I am curious if others have found this 5% occurence and I am curious why no 
one else has raised this issue before.  Could it be that almost no one is 
running uRPF and/or anti-spoofing filters?


More information about the NANOG mailing list