large BCP38 compliance testing

Roland Dobbins rdobbins at arbor.net
Thu Oct 2 12:37:55 UTC 2014


On Oct 2, 2014, at 7:16 PM, Alain Hebert <ahebert at pubnix.net> wrote:

>    BCP38 compliance is the exception not the norm.

I'm not sure that's actually the case, practically-speaking.

NAT is an awful thing for many reasons, and it's negative in terms of its overall impact on security, but there's one actual benefit from it; it is effectively a form of anti-spoofing.

The prevalence of NAT on consumer broadband access networks means that those networks do not generally emit spoofed packets.  The same goes for many SME networks, even though they oughtn't to be running NAT in front of their servers.

My guess is that the majority, if not all, of the reflection/amplification attacks we see are actually initiated from servers under the control of attackers and residing on hosting/co-location IDC networks which don't enforce anti-spoofing at the access, distribution, or peering/transit portions of their topologies.  Some of these servers are tied into so-called 'booter' systems, whereas others are linked into more conventional C&C under the direct control of attackers, while still others are utilized to launch attacks 'by hand', as it were.

Those networks are unmanaged and are likely to remain so (or are so-called 'bulletproof' networks catering to criminals).  Their peers/upstream transits likewise are not enforcing anti-spoofing on ingress, nor are they monitoring traffic originating from these networks as it ingresses their own networks (and in any event, the traffic volume of the spoofed packets on the attack source - reflector/amplifier leg is relatively small).

So, the problem is that those networks which are likely to implement the various topologically-appropriate at the various edges of their network are likely to have done so.  And by definition, the endpoint networks where the spoofed traffic originates aren't likely to do so, nor are their immediate peers/upstream transits - or they would've done so long ago. 

----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

                   Equo ne credite, Teucri.

    		   	  -- Laocoön




More information about the NANOG mailing list