[c-nsp] DNS amplification

Jared Mauch jared at puck.nether.net
Mon Mar 18 13:25:53 UTC 2013


On Mar 17, 2013, at 8:55 PM, Christopher Morrow <morrowc.lists at gmail.com> wrote:

> On Sun, Mar 17, 2013 at 6:36 PM, Arturo Servin <arturo.servin at gmail.com> wrote:
>> 
>>        They should publish the spoofable AS. Not for public shame but at least
>> to show the netadmins that they are doing something wrong, or if they
>> are trying to do the good think is not working.
>> 
>>        Or at least a tool to check for your ASN or netblock.
> 
> I don't disagree, but I'd point out that there are likely easier
> places to do bcp38 than others in everyone's network(s)... So, 'I do
> bcp38' unqualified is not as helpful, especially when almost all
> consumer grade links are bcp38 by default, which is likely where a
> bunch of this measurement originates. (well, I suspect a bunch of it
> is from consumer-grade links anyway)

(Not sure how this made it from c-nsp to nanog, but ...)

uRPF/BCP38 is an important part of a global solution.  Similar to open-relays, smurf amplifiers, and other "badness" on the network, one must assist the global network by deploying it where it makes sense.

Deploying it at your customer ports may make sense depending on your network.  Deploying it on peers may also make sense.

I think having a simple set of locations where people actually deploy it is critical, eg:

Colocation Network
Server Lans
VPS Lans
Static Routed Customer Edge

This should be the default, and something I've pushed at my employer for years.  

If you do nothing, you can expect nothing as the result.  If you attempt do so something, you can at least get an idea of where it's not coming from.  At least target these easy edges of the network where there is some value.

- Jared



More information about the NANOG mailing list