large BCP38 compliance testing

• Previous message (by thread): large BCP38 compliance testing
• Next message (by thread): large BCP38 compliance testing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/02/14 06:10, Mikael Abrahamsson wrote:
>
> Hi,
>
> To fix a lot of the DDOS attacks going on, we need to make sure BCP38
> compliance goes up. Only way to do this I can think of, is large scale
> BCP38 testing. One way of doing this, is to have large projects such
> as OpenWRT, RIPE Atlas project, perhaps even CPE vendors, implement
> something that would spoof 1 packet per day or something to a known
> destination, and in this packet the "real" source address of the
> packet is included.

    A proof of concept could be as simple as a basic BCP38 test
implemented into the OpenWRT/DD-WRT UI.

> I have been getting pushback from people that this might be "illegal".
> Could anyone please tell me what's illegal about trying to send a
> packet with a random source address?

    You could reserve yourself an IP address in a subnet you own and use
that as a source IP for testing.

> If we can get consensus in the operational world that this is actually
> ok, would that help organisations to implement this kind of testing. I
> could see vendors implement a test like "help verify network stability
> and compliance, these tests are anonymous" checkbox during the initial
> install, or something like this.

In short:

    . Test Client call the BCP38 Test Server for a Token;
    . Test Client send a test packet with that token in the payload;
    . Test Client call the BCP38 Test Server with the Token and the
server returns pass of fail which is displayed back in the CPE UI;

    While being over simplified, BCP38.org has some perl scripts from
last year NTP DDoS rush that actually does part of this.
   
    If the initial proof of concept get traction, a more complete BCP38
test set can be implemented, there is a few projects out there that
could be approached for it.

> Why isn't this being done? Why are we complaining about 300 gigabit/s
> DDOS attacks, asking people to fix their open resolvers, NTP servers
> etc, when the actual culprit is that some networks in the world don't
> implement BCP38?

    "most networks in the world"

    BCP38 compliance is the exception not the norm.

    PS: About that uRPF Convo, we could dump all that knowledges into
lets say... some comprehensive wiki page maybe =D  That way when the
topic arise we could just link to it.

• Previous message (by thread): large BCP38 compliance testing
• Next message (by thread): large BCP38 compliance testing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]