Who does source address validation? (was Re: what's that smell?)
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Oct 8 21:23:36 UTC 2002
On Tue, 08 Oct 2002 22:57:42 +0200, Iljitsch van Beijnum said:
> Ok, but how do you generate megabits worth of traffic for which there is
> no return traffic? At some level, someone or something must be trying to
> do something _really hard_ but keep failing every time. It just doesn't
> make sense.
Imagine if you will the following config:
(pipe to ISP) +------+ DMZ 10.1.1/24 +-----+ internal 192.68.1/22
===============|router|----------------| NAT |-------
+------+ +-----+
Now give the router a default route to the ISP - and then screw the NAT
config up so 198.68.1 packets show up on the DMZ. Or have something catch
a broken RIP announcement.. or any number of stupid things. Whoosh, instant
money for the ISP.. ;)
Last April (2001), while worrying about the NTP buffer overflow, we ran
a trace to see where NTP packets were going. In a 10 minute span, we
caught no less than 6 packets looking for an address that had been a
stratum-2 server - 11 years previously.
They've probably generated megabits of data for so long that they don't
even realize there's a problem. The perpetrators have retired or moved on,
and the incumbent admins don't see anything anomalous since it's always been
that way. Remember - the sort of admin that's not clued enough to get his
NAT to behave is probably the sort that wouldn't know how to run a network
monitor on his outbound pipe either. Lots of unclued admins out there...
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20021008/023a611c/attachment.sig>
More information about the NANOG
mailing list