On Aug 6, 2008, at 12:01 PM, Sean Donelan wrote:
Attacks or misconfigured leaks?
Leaks of RFC1918 stuff is pretty common, just ask any of the root server operators how many packets they see from RFC1918 leaking networks or do a traceroute across several residential cable network backbones.
Attacks aren't as common because there is enough (not 100%) anti- spoofing (good) and/or bogon-filters (not as good) in different parts of the Internet it requires more thought to launch a spoofed DDOS than it does just to use tens of thousands of non-spoofed bots to launch a DDOS.
Arbor Networks has some data.
I shared some data on bogon source appearances in *observed* attacks in another email. Orthogonal of that, here's the current Infrastructure Security Survey (again: see below for participation information, if so inclined) totals for questions related to BCP 38 and uRPF application among respondents. A pointer to a complete set of data across ~70 ISPs from last years survey is provided below. (Note: it's my opinion that one should assume at least a slightly more clue-dense respondent base than the larger network operator pool - i.e., the actual BCP 38/uRPF numbers are likely lower, and you're more clueful if you complete the survey :-) -danny ----- Self-classified respondent network type (approaching 50 responses): Tier 1: 13.33% Tier 2: 28.89% Pure Content Network: 11.11% Hosting Provider: 8.89% Education or Academic Network: 13.33% Enterprise or Hybrid Network: 2.22% Other: 22.22% --- Do you employ strict uRPF or BCP 38 on the dedicated customer edge of your network? Yes: 51.11% No: 33.33% Other: 15.56% --- Do you employ strict uRPF or BCP 38 style filters on the broadband edge of your network? Yes: 40.00% No: 33.33% Other: 26.67% --- Do you employ uRPF or BCP 38 style filters on the peering edge of your network? Yes: 46.67% No: 46.67% Other: 6.67% ---------------------------- [snip] Folks, The 2008 Infrastructure Security Survey is up and available for input. You can register to complete the survey at this URL: <https://www.tcb.net/survey/index.php?sid=19672&lang=en> I've added many questions this time from past participants of the survey, this should be evidenced throughout. Thanks to all those that reviewed and provided questions explicitly for this edition. The survey response window will be ~2 weeks. We hope to make the results available by the end of September at the latest. Also, please recall that NO personally (or organizationally) identifiable information will be shared in any manner. The 2007 edition of the survey is available here: <http://www.tcb.net/wisp07.pdf> Or on the Arbor web site (reg required): <http://www.arbornetworks.com/report> Thanks in advance for your participation! -danny