Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)

Blake Dunlap ikiris at gmail.com
Thu Aug 8 17:46:10 UTC 2013


I noticed that two of my ASNs are on that list for example with low
numbers. I can't fathom how as at least one of them has uRPF implemented on
any actual interfaces and no downstreams/peers.

-Blake

On Thu, Aug 8, 2013 at 12:40 PM, Matthew Petach <mpetach at netflight.com>wrote:

> On Thu, Aug 8, 2013 at 10:29 AM, Jared Mauch <jared at puck.nether.net>
> wrote:
>
> >
> > On Aug 1, 2013, at 2:31 AM, Saku Ytti <saku at ytti.fi> wrote:
> >
> > > On (2013-07-31 17:07 -0700), bottiger wrote:
> > >
> > >> But realistically those 2 problems are not going to be solved any time
> > >> in the next decade. I have tested 7 large hosting networks only one of
> > >> them had BCP38.
> > >
> > > I wonder if it's truly that unrealistic. If we target access networks,
> it
> > > seems impractical target.
> > >
> > > We have about 40k origin only ASNs and about 7k ASNs which offer
> transit,
> > > who could arguably trivially ACL those 40k peers.
> > >
> > > If we truly tried, as a community to make deploying these ACLs easy and
> > > actively reach out those 7k ASNs and offer help, would it be
> unrealistic
> > to
> > > have ACL deployed to sufficiently large portion of networks to make
> > > spoofing impractical/expensive?
> >
> > The following is a sorted list from worst to best of networks that allow
> > spoofing: (cutoff here is 25k)
> >
> > (full list -
> > http://openresolverproject.org/full-spoofer-asn-list-201307.txt )
> >
> >
>
> > Count   ASN#
> > ------------
> > 1323950 3462
> > 1300938 4134
> > 1270046 8151
> > 1213972 9737
>
> ...
>
> For the technically clueless among us...
>
> what does "count" refer to in this output?
> How many times you were able to spoof
> an address through them?  How many
> different addresses you could spoof through
> them?  How many spoofed packets made it
> through before being blocked?
>
> It's kinda hard to know what the list
> represents without a bit of explanation
> around it.  ^_^;
>
> Thanks!  :)
>
> Matt
>


More information about the NANOG mailing list