BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)

• Previous message (by thread): BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)
• Next message (by thread): BCP38 thread 93,871,738,435
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 26 Oct 2006 02:20:48 -0400 (EDT), Sean Donelan <sean at donelan.com>
wrote:

> 
> The only data I have is from the MIT anti-spoofing test project which
> has been pretty consistent for a long time.  About 75%-80% of the nets, 
> addressses, ASNs tests couldn't spoof, and about 20%-25% could.
> 
> The geo-location maps don't show much difference between parts of
> the world.  RIPE countries don't seem to be better or worse than ARIN
> countries or APNIC countries or so on.  ISPs on every continent seem
> to be about the same.
> 
> http://spoofer.csail.mit.edu/summary.php
> 
> If someone finds the silver bullet that will change the remaining 25% or
> so of networks, I think ISPs on every continent would be interested.

That would be nice -- but I wonder how much operational impact that would
have.

As you note, the 20-25% figure (of addresses) has been pretty constant
for quite a while.  Assuming that subverted machines are uniformly
distributed (a big assumption) and assuming that their methodology is
valid (another big assumption), that means we've already knocked out the
75-80% of the sources of spoofed IP address attacks.  Has anyone seen a
commensurate reduction in DDoS attacks?  I sure haven't heard of that.
Are people saying that the problem would be several times worse if
anti-spoofing weren't in place?  As best I can tell, the limiting factor
on attack rates isn't the lack of sources but the lack of a profit motive
for launching the attacks.

Put another way, anti-spoofing does three things: it makes reflector
attacks harder, it makes it easier to use ACLs to block sources, and it
helps people track down the bot and notify the admin. Are people actually
successfully doing either of the latter two?  I'd be surprised if there
were much of either.  That leaves reflector attacks.  Are those that large
a portion of the attacks people are seeing?

I agree that anti-spoofing is a good idea, and I've said so for a long
time.  I was one of the people who insisted that AT&T do it, way back
when.  But I'm not convinced it's a major factor here.


		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

• Previous message (by thread): BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)
• Next message (by thread): BCP38 thread 93,871,738,435
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]