State of Spoofing [was: Re: BLS FastAccess internal tech needed]

Robert Beverly rbeverly at rbeverly.net
Tue Jan 24 17:01:20 UTC 2006


On Thu, Jan 12, 2006 at 11:09:13PM -0500, Steven M. Bellovin wrote:
> >RFC2827/BCP38?
> 
> The problem is that an ISP can do all the source filtering it wants, 
> but if it only blocks SYNs to port 25 all it takes is one unfiltered 
> dial-up to spoof that ISP's addresses.

On the subject of filtering and IP spoofing...

In the past year, our spoofer project has collected nearly 1200 unique
reports from across the Internet and we have an interesting, if not
wholly representative, dataset.  The latest version of our spoofer
tester includes a number of new features that may be interesting to
the community.

One particular new feature is the ability to determine where along a
tested path filtering is employed with what we're calling a "reverse
traceroute" mechanism [1].  Knowing the "filtering depth" is of
particular interest to us since there is an operational tension
between the specificity of router-level filters and the ability to
properly maintain them.  We also test fun stuff such as how far into
the adjacent neighbor address space the client can spoof, filtering
inconsistencies, etc.  

We'd appreciate any runs of the spoofer tester to help us gather
additional data.  The client, details of the reverse traceroute as
well as our "State of IP spoofing" summary results are all the web
page: 
   http://spoofer.csail.mit.edu/

Thanks,

rob

[1] The idea for the reverse traceroute arose from a fruitful 
    discussion with John Curran.



More information about the NANOG mailing list