They should publish the spoofable AS. Not for public shame but at least to show the netadmins that they are doing something wrong, or if they are trying to do the good think is not working. Or at least a tool to check for your ASN or netblock. /as On 3/17/13 1:35 PM, Christopher Morrow wrote:
On Sun, Mar 17, 2013 at 11:33 AM, Arturo Servin <arturo.servin@gmail.com> wrote:
Yes, BCP38 is the solution.
Now, how widely is deployed?
Someone said in the IEPG session during the IETF86 that 80% of the service providers had done it?
right... sure.
This raises two questions for me. One, is it really 80%, how to measure it?
csail had a project for a while... spoofer project? <http://spoofer.csail.mit.edu/>
I think the last I looked they reported ONLY 35% or so coverage of proper filtering. Looking at: <http://spoofer.csail.mit.edu/summary.php>
though they report 86% non-spoofable, that seems very high to me.
Second, if it were 80%, how come the 20% makes so much trouble and how to encourage it to deploy BCP38?
some of the 20% seems to be very highspeed connected end hosts and at a 70:1 amplification ratio you don't need much bandwidth to fill a 1g pipe, eh?
-chris
(well, actually 4 questions :)
Regards, as
On 3/16/13 7:24 PM, Jon Lewis wrote:
On Sat, 16 Mar 2013, Robert Joosten wrote:
Hi,
Can anyone provide insight into how to defeat DNS amplification attacks? Restrict resolvers to your customer networks.
And deploy RPF
uRPF / BCP38 is really the only solution. Even if we did close all the open recursion DNS servers (which is a good idea), the attackers would just shift to another protocol/service that provides amplification of traffic and can be aimed via spoofed source address packets. Going after DNS is playing whack-a-mole. DNS is the hip one right now. It's not the only one available.