BCP38 tester?
Dobbins, Roland
rdobbins at arbor.net
Mon Apr 1 07:24:07 UTC 2013
On Apr 1, 2013, at 1:31 PM, Jimmy Hess wrote:
> If your packet source address is clamped, then, by definition a host can't spoof a packet, right; so maybe that's not a host that needs to
> be tested further (the upstream provider might still have no BCP38, it's just not exposed to that particular host).
Folks should implement anti-spoofing southbound of their NATs, using uRPF, ACLs, IP Source Guard, Cable IP Source Verify, or whatever, in order to keep botted hosts attempting to launch outbound/crossbound spoofed DDoS attacks (such as spoofed SYN-floods) from filling up the NAT translation-table and making it fall over, thus creating an outage for everything behind the NAT. I've seen this happen many times, especially in the mobile/fixed wireless space.
Likewise, they should implement anti-spoofing northbound, eastbound, and westbound of the NAT (eastbound and westbound assume it's a network of some scope), so that nothing else on their networks can send spoofed packets to external networks.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the NANOG
mailing list