SNMP DDoS: the vulnerability you might not know you have

Saku Ytti saku at
Thu Aug 1 06:31:51 UTC 2013

On (2013-07-31 17:07 -0700), bottiger wrote:

> But realistically those 2 problems are not going to be solved any time
> in the next decade. I have tested 7 large hosting networks only one of
> them had BCP38.

I wonder if it's truly that unrealistic. If we target access networks, it
seems impractical target.

We have about 40k origin only ASNs and about 7k ASNs which offer transit,
who could arguably trivially ACL those 40k peers.

If we truly tried, as a community to make deploying these ACLs easy and
actively reach out those 7k ASNs and offer help, would it be unrealistic to
have ACL deployed to sufficiently large portion of networks to make
spoofing impractical/expensive?

Do we have other approaches? Can we make this ACL dynamic to a degree? Can
we extract ACL information from BGP table?
If origin only ASN advertises prefix to global table anywhere, allow it at
matching 'remote-as' port. Does not look like difficult feature to build,
does not require magic HW support, essentially dynamically built ACL.
After this spoof would require injected trash BGP route, which would also
steal return traffic, making it useless for DoS.


More information about the NANOG mailing list