Permitting spoofed traffic [Was: Re: ddos attack blog]
Paul Ferguson
fergdawgster at mykolab.com
Sat Feb 15 02:07:07 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 2/14/2014 4:09 PM, Joe Provo wrote:
> On Fri, Feb 14, 2014 at 10:42:55AM -0800, Paul Ferguson wrote:
> [snip]
>> Taken to the logical extreme, the "right thing" to do is to deny
>> any spoofed traffic from abusing these services altogether. NTP
>> is not the only one; there is also SNMP, DNS, etc.
>
> ...and then we're back to "implement BCP38 already!" (like one of
> the authors of the document didn't think of that, ferg? ;-)
>
> NB: Some Entities believe all filtering is 'bcp 38' and thus have
> given this stone-dead logical and sane practice a bad rap. If
> someone is sloppy with their IRR-based filters or can't drive loose
> RPF correctly, that isn't the fault of BCP38.
>
> The document specifically speaks to aggregation points, most
> clearly in the introduction: "In other words, if an ISP is
> aggregating routing announcements for multiple downstream networks,
> strict traffic filtering should be used to prohibit traffic which
> claims to have originated from outside of these aggregated
> announcements."
>
> This goes for access, hosting, and most recently virtual hosting in
> teh cloude. Stop forgery at your edges and your life will be
> easier.
>
Indeed -- I'm not in the business of bit-shipping these days, so I
can't endorse or advocate any particular method of blocking spoofed IP
packets in your gear.
I can, however, say with confidence that it is still a good idea.
Great idea, even. :-)
- - ferg
- --
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlL+y8sACgkQKJasdVTchbKTXAEA0/czP0ECsFX4CyUr6yt4Dkap
D0NZT/UIo6h5E/dl0KEA/3hpxN2NLxZRix6JUTVHyv+LZ4RzgpG2myoXbgAq1+WS
=QQjA
-----END PGP SIGNATURE-----
More information about the NANOG
mailing list