Thank you, Comcast.

Adam adam at arfmail.com
Fri Feb 26 21:07:51 UTC 2016


  I'd expect the Colo's to start "locking this down" about the same time 
I'd expect ISP's to start implementing BCP38 in earnest.

Adam

------ Original Message ------
From: "Dovid Bender" <dovid at telecurve.com>
To: "Damian Menscher" <damian at google.com>
Cc: "Mody, Nirmal" <Nirmal_Mody at cable.comcast.com>; "NANOG list" 
<nanog at nanog.org>
Sent: 2/26/2016 3:43:34 PM
Subject: Re: Thank you, Comcast.

>Lawsuits? There is no reason the dedicated server I have with a 100meg 
>pipe for $65.00 per month is able to spoof IP's. The colo's should be 
>doing a better job to lock this down.
>
>Regards,
>
>Dovid
>
>-----Original Message-----
>From: Damian Menscher <damian at google.com>
>Date: Fri, 26 Feb 2016 11:47:43
>To: Dovid B<dovid at telecurve.com>
>Cc: Jared Mauch<jared at puck.nether.net>; Jason 
>Livingood<Jason_Livingood at cable.comcast.com>; Mody, 
>Nirmal<Nirmal_Mody at cable.comcast.com>; NANOG list<nanog at nanog.org>
>Subject: Re: Thank you, Comcast.
>
>"We all know..." followed by a false statement is amusing.
>
>A significant portion of spoofing originates from North America.  In a
>recent attack I'm reviewing, the top sources of spoofing were the
>southwestern US, the northwestern US, and east Asia (and almost none 
>from
>Europe).
>
>If ISPs understood how to collect and review netflow we might get
>somewhere... why is this so hard, and how do we fix it?
>
>Damian
>
>On Fri, Feb 26, 2016 at 10:48 AM, Dovid Bender <dovid at telecurve.com> 
>wrote:
>
>>  We all know what countries this traffic is coming from. While you can
>>  threaten the local ISP's the ones over seas where the traffic is 
>>coming
>>  from won't care.
>>
>>  Regards,
>>
>>  Dovid
>>
>>  -----Original Message-----
>>  From: Damian Menscher via NANOG <nanog at nanog.org>
>>  Sender: "NANOG" <nanog-bounces at nanog.org>Date: Fri, 26 Feb 2016 
>>08:02:52
>>  To: Jared Mauch<jared at puck.nether.net>; Jason Livingood<
>>  Jason_Livingood at cable.comcast.com>; Mody, Nirmal<
>>  Nirmal_Mody at cable.comcast.com>
>>  Reply-To: Damian Menscher <damian at google.com>
>>  Cc: NANOG list<nanog at nanog.org>
>>  Subject: Re: Thank you, Comcast.
>>
>>  On Fri, Feb 26, 2016 at 6:28 AM, Jared Mauch <jared at puck.nether.net>
>>  wrote:
>>
>>  > As a community we need to determine if this background radiation 
>>and
>>  these
>>  > responses are proper. I think it's a good response since vendors 
>>can't do
>>  > uRPF at line rate and the major purchasers of BCM switches don't 
>>ask for
>>  it
>>  > and aren't doing it, so it's not optimized or does not exist. /sigh
>>  >
>>
>>  I don't agree with the approach of going after individual reflectors
>>  (open*project) or blocking specific ports (Comcast's action here) as 
>>both
>>  are reactive, unlikely to be particularly effective (there are still
>>  millions of reflectors and plenty of open ports available), and don't 
>>solve
>>  the root problem (spoofed packets making it onto the public 
>>internet).
>>  What I'd much rather see Comcast do is use their netflow to trace the
>>  source of the spoofed packets (one of their peers or transit 
>>providers, no
>>  doubt) and strongly encourage (using their legal or PR team as 
>>needed) them
>>  to trace back and stop the spoofing.  This benefits everyone in a 
>>much more
>>  direct and scalable way.  Until some of the larger providers start 
>>doing
>>  that, amplification attacks and other spoofed-source attacks (DNS and
>>  synfloods) will continue to thrive.
>>
>>  (I've contacted several ISPs about the spoofed traffic they send to 
>>us.
>>  The next major hurdle is that so many don't have netflow or other 
>>useful
>>  monitoring of their networks....)
>>
>>  Damian
>>
>



More information about the NANOG mailing list