large BCP38 compliance testing

Nick Hilliard nick at
Thu Oct 2 10:28:30 UTC 2014

On 02/10/2014 11:10, Mikael Abrahamsson wrote:
> Why isn't this being done? Why are we complaining about 300 gigabit/s DDOS
> attacks, asking people to fix their open resolvers, NTP servers etc, when
> the actual culprit is that some networks in the world don't implement BCP38?

ntp monlist / dnssec abuse can provide ~30x amplification.  So if you can 
find ten 1G links anywhere in the world which aren't protected with BGP38 
filtering, you can initiate a mostly untraceable 300G DDoS.

This shouldn't stop us from finding, then naming and shaming operators who 
don't use bcp38, but we also need to maintain realistic expectations about 
how successful it's going to be.

It would probably be more productive to pressurise transit providers to 
enforce bcp38 on their customer links.


More information about the NANOG mailing list