Permitting spoofed traffic [Was: Re: ddos attack blog]
nanog-post at rsuc.gweep.net
Sat Feb 15 00:09:46 UTC 2014
On Fri, Feb 14, 2014 at 10:42:55AM -0800, Paul Ferguson wrote:
> Taken to the logical extreme, the "right thing" to do is to deny any
> spoofed traffic from abusing these services altogether. NTP is not the
> only one; there is also SNMP, DNS, etc.
...and then we're back to "implement BCP38 already!" (like one of
the authors of the document didn't think of that, ferg? ;-)
NB: Some Entities believe all filtering is 'bcp 38' and thus have
given this stone-dead logical and sane practice a bad rap. If
someone is sloppy with their IRR-based filters or can't drive loose
RPF correctly, that isn't the fault of BCP38.
The document specifically speaks to aggregation points, most clearly
in the introduction:
"In other words, if an ISP is aggregating routing announcements
for multiple downstream networks, strict traffic filtering should
be used to prohibit traffic which claims to have originated from
outside of these aggregated announcements."
This goes for access, hosting, and most recently virtual hosting
in teh cloude. Stop forgery at your edges and your life will be
RSUC / GweepNet / Spunk / FnB / CotSG / Usenix / NANOG
More information about the NANOG