Thank you, Comcast.

Damian Menscher damian at google.com
Fri Feb 26 19:47:43 UTC 2016


"We all know..." followed by a false statement is amusing.

A significant portion of spoofing originates from North America.  In a
recent attack I'm reviewing, the top sources of spoofing were the
southwestern US, the northwestern US, and east Asia (and almost none from
Europe).

If ISPs understood how to collect and review netflow we might get
somewhere... why is this so hard, and how do we fix it?

Damian

On Fri, Feb 26, 2016 at 10:48 AM, Dovid Bender <dovid at telecurve.com> wrote:

> We all know what countries this traffic is coming from. While you can
> threaten the local ISP's the ones over seas where the traffic is coming
> from won't care.
>
> Regards,
>
> Dovid
>
> -----Original Message-----
> From: Damian Menscher via NANOG <nanog at nanog.org>
> Sender: "NANOG" <nanog-bounces at nanog.org>Date: Fri, 26 Feb 2016 08:02:52
> To: Jared Mauch<jared at puck.nether.net>; Jason Livingood<
> Jason_Livingood at cable.comcast.com>; Mody, Nirmal<
> Nirmal_Mody at cable.comcast.com>
> Reply-To: Damian Menscher <damian at google.com>
> Cc: NANOG list<nanog at nanog.org>
> Subject: Re: Thank you, Comcast.
>
> On Fri, Feb 26, 2016 at 6:28 AM, Jared Mauch <jared at puck.nether.net>
> wrote:
>
> > As a community we need to determine if this background radiation and
> these
> > responses are proper. I think it's a good response since vendors can't do
> > uRPF at line rate and the major purchasers of BCM switches don't ask for
> it
> > and aren't doing it, so it's not optimized or does not exist. /sigh
> >
>
> I don't agree with the approach of going after individual reflectors
> (open*project) or blocking specific ports (Comcast's action here) as both
> are reactive, unlikely to be particularly effective (there are still
> millions of reflectors and plenty of open ports available), and don't solve
> the root problem (spoofed packets making it onto the public internet).
> What I'd much rather see Comcast do is use their netflow to trace the
> source of the spoofed packets (one of their peers or transit providers, no
> doubt) and strongly encourage (using their legal or PR team as needed) them
> to trace back and stop the spoofing.  This benefits everyone in a much more
> direct and scalable way.  Until some of the larger providers start doing
> that, amplification attacks and other spoofed-source attacks (DNS and
> synfloods) will continue to thrive.
>
> (I've contacted several ISPs about the spoofed traffic they send to us.
> The next major hurdle is that so many don't have netflow or other useful
> monitoring of their networks....)
>
> Damian
>


More information about the NANOG mailing list