Thank you, Comcast.
dovid at telecurve.com
Fri Feb 26 20:43:34 UTC 2016
Lawsuits? There is no reason the dedicated server I have with a 100meg pipe for $65.00 per month is able to spoof IP's. The colo's should be doing a better job to lock this down.
From: Damian Menscher <damian at google.com>
Date: Fri, 26 Feb 2016 11:47:43
To: Dovid B<dovid at telecurve.com>
Cc: Jared Mauch<jared at puck.nether.net>; Jason Livingood<Jason_Livingood at cable.comcast.com>; Mody, Nirmal<Nirmal_Mody at cable.comcast.com>; NANOG list<nanog at nanog.org>
Subject: Re: Thank you, Comcast.
"We all know..." followed by a false statement is amusing.
A significant portion of spoofing originates from North America. In a
recent attack I'm reviewing, the top sources of spoofing were the
southwestern US, the northwestern US, and east Asia (and almost none from
If ISPs understood how to collect and review netflow we might get
somewhere... why is this so hard, and how do we fix it?
On Fri, Feb 26, 2016 at 10:48 AM, Dovid Bender <dovid at telecurve.com> wrote:
> We all know what countries this traffic is coming from. While you can
> threaten the local ISP's the ones over seas where the traffic is coming
> from won't care.
> -----Original Message-----
> From: Damian Menscher via NANOG <nanog at nanog.org>
> Sender: "NANOG" <nanog-bounces at nanog.org>Date: Fri, 26 Feb 2016 08:02:52
> To: Jared Mauch<jared at puck.nether.net>; Jason Livingood<
> Jason_Livingood at cable.comcast.com>; Mody, Nirmal<
> Nirmal_Mody at cable.comcast.com>
> Reply-To: Damian Menscher <damian at google.com>
> Cc: NANOG list<nanog at nanog.org>
> Subject: Re: Thank you, Comcast.
> On Fri, Feb 26, 2016 at 6:28 AM, Jared Mauch <jared at puck.nether.net>
> > As a community we need to determine if this background radiation and
> > responses are proper. I think it's a good response since vendors can't do
> > uRPF at line rate and the major purchasers of BCM switches don't ask for
> > and aren't doing it, so it's not optimized or does not exist. /sigh
> I don't agree with the approach of going after individual reflectors
> (open*project) or blocking specific ports (Comcast's action here) as both
> are reactive, unlikely to be particularly effective (there are still
> millions of reflectors and plenty of open ports available), and don't solve
> the root problem (spoofed packets making it onto the public internet).
> What I'd much rather see Comcast do is use their netflow to trace the
> source of the spoofed packets (one of their peers or transit providers, no
> doubt) and strongly encourage (using their legal or PR team as needed) them
> to trace back and stop the spoofing. This benefits everyone in a much more
> direct and scalable way. Until some of the larger providers start doing
> that, amplification attacks and other spoofed-source attacks (DNS and
> synfloods) will continue to thrive.
> (I've contacted several ISPs about the spoofed traffic they send to us.
> The next major hurdle is that so many don't have netflow or other useful
> monitoring of their networks....)
More information about the NANOG