large BCP38 compliance testing

• Previous message (by thread): mediastream/vyve noc information/number?
• Next message (by thread): large BCP38 compliance testing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

To fix a lot of the DDOS attacks going on, we need to make sure BCP38 
compliance goes up. Only way to do this I can think of, is large scale 
BCP38 testing. One way of doing this, is to have large projects such as 
OpenWRT, RIPE Atlas project, perhaps even CPE vendors, implement something 
that would spoof 1 packet per day or something to a known destination, and 
in this packet the "real" source address of the packet is included.

I have been getting pushback from people that this might be "illegal". 
Could anyone please tell me what's illegal about trying to send a packet 
with a random source address?

If we can get consensus in the operational world that this is actually ok, 
would that help organisations to implement this kind of testing. I could 
see vendors implement a test like "help verify network stability and 
compliance, these tests are anonymous" checkbox during the initial 
install, or something like this.

Why isn't this being done? Why are we complaining about 300 gigabit/s DDOS 
attacks, asking people to fix their open resolvers, NTP servers etc, when 
the actual culprit is that some networks in the world don't implement 
BCP38?

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

• Previous message (by thread): mediastream/vyve noc information/number?
• Next message (by thread): large BCP38 compliance testing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]