Permitting spoofed traffic [Was: Re: ddos attack blog]

Joe Provo nanog-post at
Sat Feb 15 00:09:46 UTC 2014

On Fri, Feb 14, 2014 at 10:42:55AM -0800, Paul Ferguson wrote:
> Taken to the logical extreme, the "right thing" to do is to deny any
> spoofed traffic from abusing these services altogether. NTP is not the
> only one; there is also SNMP, DNS, etc.
...and then we're back to "implement BCP38 already!" (like one of 
the authors of the document didn't think of that, ferg? ;-)

NB: Some Entities believe all filtering is 'bcp 38' and thus have 
given this stone-dead logical and sane practice a bad rap. If 
someone is sloppy with their IRR-based filters or can't drive loose 
RPF correctly, that isn't the fault of BCP38.  

The document specifically speaks to aggregation points, most clearly
in the introduction:
"In other words, if an ISP is aggregating routing announcements 
 for multiple downstream networks, strict traffic filtering should 
 be used to prohibit traffic which claims to have originated from 
 outside of these aggregated announcements."

This goes for access, hosting, and most recently virtual hosting 
in teh cloude. Stop forgery at your edges and your life will be 



        RSUC / GweepNet / Spunk / FnB / CotSG / Usenix / NANOG

More information about the NANOG mailing list