Krebs on Security booted off Akamai network after DDoS attack proves pricey

Mike Hammett nanog at
Sun Sep 25 14:50:54 UTC 2016

I've heard people say doing BCP38 is hard for big networks and it is if you do it at your provider\peering edges. It's easier if done at the customer edge. Simply don't allow the traffic onto your network to start with. 

Limit the spoofing attacks to just a single random ASN. How much smaller is the attack than it is now with hundreds or thousands of them? 

Mike Hammett 
Intelligent Computing Solutions 


----- Original Message -----

From: "Ca By" <cb.list6 at> 
To: "Jay Farrell" <jayfar at> 
Cc: "North American Network Operators' Group" <nanog at> 
Sent: Sunday, September 25, 2016 9:36:18 AM 
Subject: Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey 

On Sunday, September 25, 2016, Jay Farrell via NANOG <nanog at> 

> And of course Brian Krebs has a thing or two to say, not the least is which 
> to push for BCP38 (good luck with that, right?). 

Yeh, bcp38 is not a viable solution. 

As long as their is one spoof capable network on the net, the problem will 
not be solved. While bcp38 is a true bcp, it is not a solution. It will 
not, and has not, moved the needle. 

A solution is aggregating the telemetry of source IP addresses in the 
botnet and assigning blame and liability to the owners of the IP addresses 
/ host ASN. 

The networks can then use AUP to shutdown the bot members. 

As where was a proactive approach, Kreb's data 
can be reactive approach. And since the data is evidence of a crime, the 
network operators can enforce the AUP. The attack did happen. This ip was 
involved. Remediation is required. 

>From there, the host ASN can 

> On Sun, Sep 25, 2016 at 12:43 AM, Jay R. Ashworth <jra at 
> <javascript:;>> wrote: 
> > ----- Original Message ----- 
> > > From: "Jay Farrell via NANOG" <nanog at <javascript:;>> 
> > 
> > > And of course on windows ipconfig /flushdns 
> > > 
> > > Still I had to wait for my corporate caching servers to update; I think 
> > the 
> > > TTL on the old A record was an hour. 
> > 
> > Are big eyeball networks still flooring A record TTLs on resolution? 
> > 
> > Cheers, 
> > -- jra 
> > -- 
> > Jay R. Ashworth Baylink 
> > jra at <javascript:;> 
> > Designer The Things I Think RFC 
> > 2100 
> > Ashworth & Associates 2000 Land 
> > Rover DII 
> > St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 
> > 1274 
> > 

More information about the NANOG mailing list