large BCP38 compliance testing
nick at foobar.org
Thu Oct 2 10:28:30 UTC 2014
On 02/10/2014 11:10, Mikael Abrahamsson wrote:
> Why isn't this being done? Why are we complaining about 300 gigabit/s DDOS
> attacks, asking people to fix their open resolvers, NTP servers etc, when
> the actual culprit is that some networks in the world don't implement BCP38?
ntp monlist / dnssec abuse can provide ~30x amplification. So if you can
find ten 1G links anywhere in the world which aren't protected with BGP38
filtering, you can initiate a mostly untraceable 300G DDoS.
This shouldn't stop us from finding, then naming and shaming operators who
don't use bcp38, but we also need to maintain realistic expectations about
how successful it's going to be.
It would probably be more productive to pressurise transit providers to
enforce bcp38 on their customer links.
More information about the NANOG