Thank you, Comcast.

Dovid Bender dovid at
Fri Feb 26 20:43:34 UTC 2016

Lawsuits? There is no reason the dedicated server I have with a 100meg pipe for $65.00 per month is able to spoof IP's. The colo's should be doing a better job to lock this down.



-----Original Message-----
From: Damian Menscher <damian at>
Date: Fri, 26 Feb 2016 11:47:43 
To: Dovid B<dovid at>
Cc: Jared Mauch<jared at>; Jason Livingood<Jason_Livingood at>; Mody, Nirmal<Nirmal_Mody at>; NANOG list<nanog at>
Subject: Re: Thank you, Comcast.

"We all know..." followed by a false statement is amusing.

A significant portion of spoofing originates from North America.  In a
recent attack I'm reviewing, the top sources of spoofing were the
southwestern US, the northwestern US, and east Asia (and almost none from

If ISPs understood how to collect and review netflow we might get
somewhere... why is this so hard, and how do we fix it?


On Fri, Feb 26, 2016 at 10:48 AM, Dovid Bender <dovid at> wrote:

> We all know what countries this traffic is coming from. While you can
> threaten the local ISP's the ones over seas where the traffic is coming
> from won't care.
> Regards,
> Dovid
> -----Original Message-----
> From: Damian Menscher via NANOG <nanog at>
> Sender: "NANOG" <nanog-bounces at>Date: Fri, 26 Feb 2016 08:02:52
> To: Jared Mauch<jared at>; Jason Livingood<
> Jason_Livingood at>; Mody, Nirmal<
> Nirmal_Mody at>
> Reply-To: Damian Menscher <damian at>
> Cc: NANOG list<nanog at>
> Subject: Re: Thank you, Comcast.
> On Fri, Feb 26, 2016 at 6:28 AM, Jared Mauch <jared at>
> wrote:
> > As a community we need to determine if this background radiation and
> these
> > responses are proper. I think it's a good response since vendors can't do
> > uRPF at line rate and the major purchasers of BCM switches don't ask for
> it
> > and aren't doing it, so it's not optimized or does not exist. /sigh
> >
> I don't agree with the approach of going after individual reflectors
> (open*project) or blocking specific ports (Comcast's action here) as both
> are reactive, unlikely to be particularly effective (there are still
> millions of reflectors and plenty of open ports available), and don't solve
> the root problem (spoofed packets making it onto the public internet).
> What I'd much rather see Comcast do is use their netflow to trace the
> source of the spoofed packets (one of their peers or transit providers, no
> doubt) and strongly encourage (using their legal or PR team as needed) them
> to trace back and stop the spoofing.  This benefits everyone in a much more
> direct and scalable way.  Until some of the larger providers start doing
> that, amplification attacks and other spoofed-source attacks (DNS and
> synfloods) will continue to thrive.
> (I've contacted several ISPs about the spoofed traffic they send to us.
> The next major hurdle is that so many don't have netflow or other useful
> monitoring of their networks....)
> Damian

More information about the NANOG mailing list