Krebs on Security booted off Akamai network after DDoS attack proves pricey

• Previous message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Next message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sunday, September 25, 2016, Jay R. Ashworth <jra at baylink.com> wrote:

> ----- Original Message -----
> > From: "Ca By" <cb.list6 at gmail.com <javascript:;>>
>
> > On Sunday, September 25, 2016, Jay Farrell via NANOG <nanog at nanog.org
> <javascript:;>>
> > wrote:
> >
> >> And of course Brian Krebs has a thing or two to say, not the least is
> which
> >> to push for BCP38 (good luck with that, right?).
> >>
> >> https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/
> >
> > Yeh, bcp38 is not a viable solution.
> >
> > As long as their is one spoof capable network on the net, the problem
> will
> > not be solved. While bcp38 is a true bcp, it is not a solution. It will
> > not, and has not, moved the needle.
>
> No; things which are not implemented anywhere generally don't move the
> needle.
>
>
It is implemented many places in fact.


> You're confusing cause and effect here, I think.
>
>
I will argue you are confused.


> You give no evidence that *pervasive implementation of 38* would *not* move
> the needle, and that's where we are right now: we do not have anything that
> looks like "pervasive implementation".
>
> *Ten* people could solve this problem.  Tomorrow.
>
> The chief engineers of the top 10 US eyeball providers could simply sit
> down
> and say "let's go do this thing".  And better than 80% of the potential
> sources
> would just vanish off the face of the internet.
>
>
Assume every network in the usa implements bcp38.

This simply means no spoofs source from usa. Every packet is sent from the
usa using a valid origin.

Assume also 50% of networks in Europe and Asia and the Southern Hemisphere
do bcp38 too.

Great.

The result is the needle has not moved at all.

CC nodes in the non bcp38 locations will send spoofed packets destinations
is comcast and att with a source of krebs.

Result?  Comcast and att cpe responds with crap to krebs. Ddos success
despite bcp38 in all of usa.





> Do I need to go do research, and name these 10 people?  :-)
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth                  Baylink
> jra at baylink.com <javascript:;>
> Designer                     The Things I Think                       RFC
> 2100
> Ashworth & Associates       http://www.bcp38.info          2000 Land
> Rover DII
> St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647
> 1274
>

• Previous message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Next message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]