On 1/28/2014 1:07 PM, Nick Olsen wrote:
While I see what you're saying. It's still not "Spoofed".
The device in question receives the request. And then generates a response with the src address of the egress interface of the device dst to the IP and port that requested it... In this case. The GRE tunnel. Unless I'm missing something here about replying to a request only on the interface which it ingressed the device. And the fact that it's UDP. not TCP. So it's fire-and-forget.
No in this case the system is being hit with a MITM type attack
Thus, Nothing was ever spoofed. It just simply was returned from a different interface of the same device. From our point of view. We saw the packet of DNS-SRC>OurCustomer. And the other ISP, Which transported the reply. only saw Customer-SRC>DNS-DST.
Obviously, This only works because it's UDP. And TCP would be broken.
Nick Olsen Network Operations (855) FLSPEED x106
---------------------------------------- From: "Jared Mauch" <jared@puck.nether.net> Sent: Tuesday, January 28, 2014 3:04 PM To: nick@flhsi.com Cc: "David Miller" <dmiller@tiggee.com>, Valdis.Kletnieks@vt.edu, "NANOG" <nanog@nanog.org> Subject: Re: BCP38.info
On Jan 28, 2014, at 2:57 PM, Nick Olsen <nick@flhsi.com> wrote:
Agreed.
Our's listed for AS36295 are two customers, Which I know for a fact have their default route set out of a GRE tunnel interface. So while we hand them the request to their interface IP we've assigned them. The response is actually sent, And transported via the customers GRE Tunnel, And HQ's Dedicated internet access where their tunneling to. Making it appear that the reply has been spoofed. When in reality. it was just silent transported to another area before being sent to the src.
Sure, but this means that network is allowing the spoofing :)
What I did last night was automated comparing the source ASN to the dest ASN mapped to and reported both the IP + ASN on a single line for those that were interested.
I'm seeing a lot of other email related to BCP-38 right now on another list, but I wanted to share some data (again) in public regarding the state of network spoofing out there.
I'd rather share some data and how others can observe this to determine how we can approach a fix. Someone spoofing your IP address out some other carrier is something you may be interested to know about, even if you have a non-spoofing network.
- jared
-- ------------- Personal Email - Disclaimers Apply