Permitting spoofed traffic [Was: Re: ddos attack blog]

Sat Feb 15 02:07:07 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2/14/2014 4:09 PM, Joe Provo wrote:

> On Fri, Feb 14, 2014 at 10:42:55AM -0800, Paul Ferguson wrote: 
> [snip]
>> Taken to the logical extreme, the "right thing" to do is to deny
>> any spoofed traffic from abusing these services altogether. NTP
>> is not the only one; there is also SNMP, DNS, etc.
> 
> ...and then we're back to "implement BCP38 already!" (like one of 
> the authors of the document didn't think of that, ferg? ;-)
> 
> NB: Some Entities believe all filtering is 'bcp 38' and thus have 
> given this stone-dead logical and sane practice a bad rap. If 
> someone is sloppy with their IRR-based filters or can't drive loose
>  RPF correctly, that isn't the fault of BCP38.
> 
> The document specifically speaks to aggregation points, most
> clearly in the introduction: "In other words, if an ISP is
> aggregating routing announcements for multiple downstream networks,
> strict traffic filtering should be used to prohibit traffic which
> claims to have originated from outside of these aggregated
> announcements."
> 
> This goes for access, hosting, and most recently virtual hosting in
> teh cloude. Stop forgery at your edges and your life will be 
> easier.
> 

Indeed -- I'm not in the business of bit-shipping these days, so I
can't endorse or advocate any particular method of blocking spoofed IP
packets in your gear.

I can, however, say with confidence that it is still a good idea.
Great idea, even. :-)

- - ferg

- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlL+y8sACgkQKJasdVTchbKTXAEA0/czP0ECsFX4CyUr6yt4Dkap
D0NZT/UIo6h5E/dl0KEA/3hpxN2NLxZRix6JUTVHyv+LZ4RzgpG2myoXbgAq1+WS
=QQjA
-----END PGP SIGNATURE-----