Thank you, Comcast.

Adam adam at
Fri Feb 26 21:07:51 UTC 2016

  I'd expect the Colo's to start "locking this down" about the same time 
I'd expect ISP's to start implementing BCP38 in earnest.


------ Original Message ------
From: "Dovid Bender" <dovid at>
To: "Damian Menscher" <damian at>
Cc: "Mody, Nirmal" <Nirmal_Mody at>; "NANOG list" 
<nanog at>
Sent: 2/26/2016 3:43:34 PM
Subject: Re: Thank you, Comcast.

>Lawsuits? There is no reason the dedicated server I have with a 100meg 
>pipe for $65.00 per month is able to spoof IP's. The colo's should be 
>doing a better job to lock this down.
>-----Original Message-----
>From: Damian Menscher <damian at>
>Date: Fri, 26 Feb 2016 11:47:43
>To: Dovid B<dovid at>
>Cc: Jared Mauch<jared at>; Jason 
>Livingood<Jason_Livingood at>; Mody, 
>Nirmal<Nirmal_Mody at>; NANOG list<nanog at>
>Subject: Re: Thank you, Comcast.
>"We all know..." followed by a false statement is amusing.
>A significant portion of spoofing originates from North America.  In a
>recent attack I'm reviewing, the top sources of spoofing were the
>southwestern US, the northwestern US, and east Asia (and almost none 
>If ISPs understood how to collect and review netflow we might get
>somewhere... why is this so hard, and how do we fix it?
>On Fri, Feb 26, 2016 at 10:48 AM, Dovid Bender <dovid at> 
>>  We all know what countries this traffic is coming from. While you can
>>  threaten the local ISP's the ones over seas where the traffic is 
>>  from won't care.
>>  Regards,
>>  Dovid
>>  -----Original Message-----
>>  From: Damian Menscher via NANOG <nanog at>
>>  Sender: "NANOG" <nanog-bounces at>Date: Fri, 26 Feb 2016 
>>  To: Jared Mauch<jared at>; Jason Livingood<
>>  Jason_Livingood at>; Mody, Nirmal<
>>  Nirmal_Mody at>
>>  Reply-To: Damian Menscher <damian at>
>>  Cc: NANOG list<nanog at>
>>  Subject: Re: Thank you, Comcast.
>>  On Fri, Feb 26, 2016 at 6:28 AM, Jared Mauch <jared at>
>>  wrote:
>>  > As a community we need to determine if this background radiation 
>>  these
>>  > responses are proper. I think it's a good response since vendors 
>>can't do
>>  > uRPF at line rate and the major purchasers of BCM switches don't 
>>ask for
>>  it
>>  > and aren't doing it, so it's not optimized or does not exist. /sigh
>>  >
>>  I don't agree with the approach of going after individual reflectors
>>  (open*project) or blocking specific ports (Comcast's action here) as 
>>  are reactive, unlikely to be particularly effective (there are still
>>  millions of reflectors and plenty of open ports available), and don't 
>>  the root problem (spoofed packets making it onto the public 
>>  What I'd much rather see Comcast do is use their netflow to trace the
>>  source of the spoofed packets (one of their peers or transit 
>>providers, no
>>  doubt) and strongly encourage (using their legal or PR team as 
>>needed) them
>>  to trace back and stop the spoofing.  This benefits everyone in a 
>>much more
>>  direct and scalable way.  Until some of the larger providers start 
>>  that, amplification attacks and other spoofed-source attacks (DNS and
>>  synfloods) will continue to thrive.
>>  (I've contacted several ISPs about the spoofed traffic they send to 
>>  The next major hurdle is that so many don't have netflow or other 
>>  monitoring of their networks....)
>>  Damian

More information about the NANOG mailing list