SNMP DDoS: the vulnerability you might not know you have

• Previous message (by thread): SNMP DDoS: the vulnerability you might not know you have
• Next message (by thread): Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On (2013-07-31 17:07 -0700), bottiger wrote:

> But realistically those 2 problems are not going to be solved any time
> in the next decade. I have tested 7 large hosting networks only one of
> them had BCP38.

I wonder if it's truly that unrealistic. If we target access networks, it
seems impractical target.

We have about 40k origin only ASNs and about 7k ASNs which offer transit,
who could arguably trivially ACL those 40k peers.

If we truly tried, as a community to make deploying these ACLs easy and
actively reach out those 7k ASNs and offer help, would it be unrealistic to
have ACL deployed to sufficiently large portion of networks to make
spoofing impractical/expensive?


Do we have other approaches? Can we make this ACL dynamic to a degree? Can
we extract ACL information from BGP table?
If origin only ASN advertises prefix to global table anywhere, allow it at
matching 'remote-as' port. Does not look like difficult feature to build,
does not require magic HW support, essentially dynamically built ACL.
After this spoof would require injected trash BGP route, which would also
steal return traffic, making it useless for DoS.


-- 
  ++ytti

• Previous message (by thread): SNMP DDoS: the vulnerability you might not know you have
• Next message (by thread): Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]