I've heard people say doing BCP38 is hard for big networks and it is if you do it at your provider\peering edges. It's easier if done at the customer edge. Simply don't allow the traffic onto your network to start with. Limit the spoofing attacks to just a single random ASN. How much smaller is the attack than it is now with hundreds or thousands of them? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Ca By" <cb.list6@gmail.com> To: "Jay Farrell" <jayfar@jayfar.com> Cc: "North American Network Operators' Group" <nanog@nanog.org> Sent: Sunday, September 25, 2016 9:36:18 AM Subject: Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey On Sunday, September 25, 2016, Jay Farrell via NANOG <nanog@nanog.org> wrote:
And of course Brian Krebs has a thing or two to say, not the least is which to push for BCP38 (good luck with that, right?).
https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/
Yeh, bcp38 is not a viable solution. As long as their is one spoof capable network on the net, the problem will not be solved. While bcp38 is a true bcp, it is not a solution. It will not, and has not, moved the needle. A solution is aggregating the telemetry of source IP addresses in the botnet and assigning blame and liability to the owners of the IP addresses / host ASN. The networks can then use AUP to shutdown the bot members. As where http://openntpproject.org/ was a proactive approach, Kreb's data can be reactive approach. And since the data is evidence of a crime, the network operators can enforce the AUP. The attack did happen. This ip was involved. Remediation is required.
From there, the host ASN can
On Sun, Sep 25, 2016 at 12:43 AM, Jay R. Ashworth <jra@baylink.com <javascript:;>> wrote:
----- Original Message -----
From: "Jay Farrell via NANOG" <nanog@nanog.org <javascript:;>>
And of course on windows ipconfig /flushdns
Still I had to wait for my corporate caching servers to update; I think the TTL on the old A record was an hour.
Are big eyeball networks still flooring A record TTLs on resolution?
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com <javascript:;> Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274