"Everyone should be deploying BCP 38! Wait, they are …."
Here's a piece which uses the MIT ANA data to assert that the job is mostly done already. Unless I'm very much mistaken, it appears that a large percentage of the failed BCP 38 spoofing tests listed in that data are actually due to customer side NAT routers dropping packets... which is of course egress filtering rather than ingress filtering, and thus doesn't actually apply to our questions. Am I interpreting that correctly? http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/ (Oh, and bcp38.info is now the number 2 Ghit for "bcp38"; thanks to 5 new contributors for signing up to help so far this week.) Cheers, - jra -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
That article is terrible. Looking at the stats provided, only 2582 unique AS's were tested. http://www.cidr-report.org/as2.0/#General_Status has over 46k AS's currently in the routing table. This means they have tested around 5% of the AS's on the Internet. Dave On 18 February 2014 17:20, Jay Ashworth <jra@baylink.com> wrote:
Here's a piece which uses the MIT ANA data to assert that the job is mostly done already.
Unless I'm very much mistaken, it appears that a large percentage of the failed BCP 38 spoofing tests listed in that data are actually due to customer side NAT routers dropping packets...
which is of course egress filtering rather than ingress filtering, and thus doesn't actually apply to our questions.
Am I interpreting that correctly?
http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/
(Oh, and bcp38.info is now the number 2 Ghit for "bcp38"; thanks to 5 new contributors for signing up to help so far this week.)
Cheers, - jra -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Barry is a well respected security researcher. I'm surprised he posted this. In his defense, he did it over a year ago (June 11, 2012). Maybe we should ask him about it. I'll do that now.... -- TTFN, patrick On Feb 18, 2014, at 13:31 , Dave Bell <me@geordish.org> wrote:
That article is terrible.
Looking at the stats provided, only 2582 unique AS's were tested. http://www.cidr-report.org/as2.0/#General_Status has over 46k AS's currently in the routing table.
This means they have tested around 5% of the AS's on the Internet.
Dave
On 18 February 2014 17:20, Jay Ashworth <jra@baylink.com> wrote:
Here's a piece which uses the MIT ANA data to assert that the job is mostly done already.
Unless I'm very much mistaken, it appears that a large percentage of the failed BCP 38 spoofing tests listed in that data are actually due to customer side NAT routers dropping packets...
which is of course egress filtering rather than ingress filtering, and thus doesn't actually apply to our questions.
Am I interpreting that correctly?
http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/
(Oh, and bcp38.info is now the number 2 Ghit for "bcp38"; thanks to 5 new contributors for signing up to help so far this week.)
Cheers, - jra -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
On Feb 18, 2014, at 1:40 PM, Patrick W. Gilmore <patrick@ianai.net> wrote:
Barry is a well respected security researcher. I'm surprised he posted this.
In his defense, he did it over a year ago (June 11, 2012). Maybe we should ask him about it. I'll do that now....
I'm not surprised in any regard. There are too many names for BCP-38, SAV, SSAC-004, BCP-84, Ingress Filtering, etc.. There are many networks that perform this best practice either by "default" through NAT/firewalls or by explicit configuration of the devices. There are many networks that one will never be able to measure nor audit as well, but that doesn't mean we shouldn't continue to work on tracking back spoofed packets and reporting the attacks, and securing devices. - Jared
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Below: On 2/18/2014 11:22 AM, Jared Mauch wrote:
On Feb 18, 2014, at 1:40 PM, Patrick W. Gilmore <patrick@ianai.net> wrote:
Barry is a well respected security researcher. I'm surprised he posted this.
In his defense, he did it over a year ago (June 11, 2012). Maybe we should ask him about it. I'll do that now....
I'm not surprised in any regard. There are too many names for BCP-38, SAV, SSAC-004, BCP-84, Ingress Filtering, etc..
This is why I am now using the phrase "anti-spoofing" when talking about this in public. It far less cryptic, and I am breaking into bite-sized components that people can actually understand. As engineers & technical people, we need to start using language people can wrap their brains around easily. Remember: We are living in the age of instant gratification and Attention Deficit Disorder. :-) - - ferg
There are many networks that perform this best practice either by "default" through NAT/firewalls or by explicit configuration of the devices.
There are many networks that one will never be able to measure nor audit as well, but that doesn't mean we shouldn't continue to work on tracking back spoofed packets and reporting the attacks, and securing devices.
- Jared
- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMDt90ACgkQKJasdVTchbIBrwD/YyUeK4SvS6grQdarKnoJiZXD 2YoTf+lRXpXnkSTPUdUA/3TH8jnXNx6DkOw9nkbVIi6Ek8ehTLUPpDPBe0oELQj4 =Cf2C -----END PGP SIGNATURE-----
On Feb 19, 2014, at 2:43 AM, Paul Ferguson <fergdawgster@mykolab.com> wrote:
This is why I am now using the phrase "anti-spoofing" when talking about this in public.
+1 It's also more semantically correct, in many cases. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
I agree that Barry's post can be read in misleading ways and I seem to recall chatting about that with him at some point. As to one poster's comment about random sampling, I'm pretty sure the Spoofer project likely fell short in a number of ways (e.g. being documented in not every language). So, if NATs prevent (many? most?) end-user machines for being able inject spoofed IPv4 source addresses (IPv6 home gateways may well not provide such protection), maybe we should conclude that most of the spoofing is coming from somewhere else; perhaps including colo and cloud providers. I wonder how many users/admins of those kinds of machines ran the Spoofer test SW. Tony On Tue, Feb 18, 2014 at 2:22 PM, Jared Mauch <jared@puck.nether.net> wrote:
On Feb 18, 2014, at 1:40 PM, Patrick W. Gilmore <patrick@ianai.net> wrote:
Barry is a well respected security researcher. I'm surprised he posted this.
In his defense, he did it over a year ago (June 11, 2012). Maybe we should ask him about it. I'll do that now....
I'm not surprised in any regard. There are too many names for BCP-38, SAV, SSAC-004, BCP-84, Ingress Filtering, etc..
There are many networks that perform this best practice either by "default" through NAT/firewalls or by explicit configuration of the devices.
There are many networks that one will never be able to measure nor audit as well, but that doesn't mean we shouldn't continue to work on tracking back spoofed packets and reporting the attacks, and securing devices.
- Jared
On Feb 19, 2014, at 4:52 AM, Tony Tauber <ttauber@1-4-5.net> wrote:
maybe we should conclude that most of the spoofing is coming from somewhere else; perhaps including colo and cloud providers.
My theory - not yet backed by data - is that probably most spoofed traffic these days does in fact emanate from IDC networks, and that a non-trivial proportion of same emanates from a relatively small number of such networks. In many cases, it's possible to put 'naked' hosts on home broadband connections, however - and how common that is, and what proportion of those broadband access networks don't run any form of anti-spoofing, is an open question. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
----- Original Message -----
From: "Dave Bell" <me@geordish.org>
That article is terrible.
Looking at the stats provided, only 2582 unique AS's were tested. http://www.cidr-report.org/as2.0/#General_Status has over 46k AS's currently in the routing table.
This means they have tested around 5% of the AS's on the Internet.
Well, it did strike me, when someone cited the same data last week, that it seemed an awful lot of stew to make from that few oysters. I suppose it does depend on what percentage of end nodes are subsumed by those AS's, but there's no authoritative way to know that from on top. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
participants (7)
-
Dave Bell
-
Dobbins, Roland
-
Jared Mauch
-
Jay Ashworth
-
Patrick W. Gilmore
-
Paul Ferguson
-
Tony Tauber