Thank you, Comcast.
Adam
adam at arfmail.com
Fri Feb 26 21:07:51 UTC 2016
I'd expect the Colo's to start "locking this down" about the same time
I'd expect ISP's to start implementing BCP38 in earnest.
Adam
------ Original Message ------
From: "Dovid Bender" <dovid at telecurve.com>
To: "Damian Menscher" <damian at google.com>
Cc: "Mody, Nirmal" <Nirmal_Mody at cable.comcast.com>; "NANOG list"
<nanog at nanog.org>
Sent: 2/26/2016 3:43:34 PM
Subject: Re: Thank you, Comcast.
>Lawsuits? There is no reason the dedicated server I have with a 100meg
>pipe for $65.00 per month is able to spoof IP's. The colo's should be
>doing a better job to lock this down.
>
>Regards,
>
>Dovid
>
>-----Original Message-----
>From: Damian Menscher <damian at google.com>
>Date: Fri, 26 Feb 2016 11:47:43
>To: Dovid B<dovid at telecurve.com>
>Cc: Jared Mauch<jared at puck.nether.net>; Jason
>Livingood<Jason_Livingood at cable.comcast.com>; Mody,
>Nirmal<Nirmal_Mody at cable.comcast.com>; NANOG list<nanog at nanog.org>
>Subject: Re: Thank you, Comcast.
>
>"We all know..." followed by a false statement is amusing.
>
>A significant portion of spoofing originates from North America. In a
>recent attack I'm reviewing, the top sources of spoofing were the
>southwestern US, the northwestern US, and east Asia (and almost none
>from
>Europe).
>
>If ISPs understood how to collect and review netflow we might get
>somewhere... why is this so hard, and how do we fix it?
>
>Damian
>
>On Fri, Feb 26, 2016 at 10:48 AM, Dovid Bender <dovid at telecurve.com>
>wrote:
>
>> We all know what countries this traffic is coming from. While you can
>> threaten the local ISP's the ones over seas where the traffic is
>>coming
>> from won't care.
>>
>> Regards,
>>
>> Dovid
>>
>> -----Original Message-----
>> From: Damian Menscher via NANOG <nanog at nanog.org>
>> Sender: "NANOG" <nanog-bounces at nanog.org>Date: Fri, 26 Feb 2016
>>08:02:52
>> To: Jared Mauch<jared at puck.nether.net>; Jason Livingood<
>> Jason_Livingood at cable.comcast.com>; Mody, Nirmal<
>> Nirmal_Mody at cable.comcast.com>
>> Reply-To: Damian Menscher <damian at google.com>
>> Cc: NANOG list<nanog at nanog.org>
>> Subject: Re: Thank you, Comcast.
>>
>> On Fri, Feb 26, 2016 at 6:28 AM, Jared Mauch <jared at puck.nether.net>
>> wrote:
>>
>> > As a community we need to determine if this background radiation
>>and
>> these
>> > responses are proper. I think it's a good response since vendors
>>can't do
>> > uRPF at line rate and the major purchasers of BCM switches don't
>>ask for
>> it
>> > and aren't doing it, so it's not optimized or does not exist. /sigh
>> >
>>
>> I don't agree with the approach of going after individual reflectors
>> (open*project) or blocking specific ports (Comcast's action here) as
>>both
>> are reactive, unlikely to be particularly effective (there are still
>> millions of reflectors and plenty of open ports available), and don't
>>solve
>> the root problem (spoofed packets making it onto the public
>>internet).
>> What I'd much rather see Comcast do is use their netflow to trace the
>> source of the spoofed packets (one of their peers or transit
>>providers, no
>> doubt) and strongly encourage (using their legal or PR team as
>>needed) them
>> to trace back and stop the spoofing. This benefits everyone in a
>>much more
>> direct and scalable way. Until some of the larger providers start
>>doing
>> that, amplification attacks and other spoofed-source attacks (DNS and
>> synfloods) will continue to thrive.
>>
>> (I've contacted several ISPs about the spoofed traffic they send to
>>us.
>> The next major hurdle is that so many don't have netflow or other
>>useful
>> monitoring of their networks....)
>>
>> Damian
>>
>
More information about the NANOG
mailing list