Jared Mauch jared at puck.nether.net
Tue Jan 28 20:03:45 UTC 2014

On Jan 28, 2014, at 2:57 PM, Nick Olsen <nick at flhsi.com> wrote:

> Agreed.
> Our's listed for AS36295 are two customers, Which I know for a fact have their default route set out of a GRE tunnel interface. So while we hand them the request to their interface IP we've assigned them. The response is actually sent, And transported via the customers GRE Tunnel, And HQ's Dedicated internet access where their tunneling to. Making it appear that the reply has been spoofed. When in reality. it was just silent transported to another area before being sent to the src. 

Sure, but this means that network is allowing the spoofing :)

What I did last night was automated comparing the source ASN to the dest ASN mapped to and reported both the IP + ASN on a single line for those that were interested.

I'm seeing a lot of other email related to BCP-38 right now on another list, but I wanted to share some data (again) in public regarding the state of network spoofing out there.

I'd rather share some data and how others can observe this to determine how we can approach a fix.  Someone spoofing your IP address out some other carrier is something you may be interested to know about, even if you have a non-spoofing network.

- jared

More information about the NANOG mailing list