[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
BCP38 tester?
- Subject: BCP38 tester?
- From: rdobbins at arbor.net (Dobbins, Roland)
- Date: Mon, 1 Apr 2013 07:24:07 +0000
- In-reply-to: <CAAAwwbUB-8G==ZzCtn_C5Yncd_t2==KNT_POZFdVPHW9BLS55g@mail.gmail.com>
- References: <[email protected]> <1364787851.2136.7.camel@karl> <[email protected]> <1364792091.2136.15.camel@karl> <CAAAwwbUB-8G==ZzCtn_C5Yncd_t2==KNT_POZFdVPHW9BLS55g@mail.gmail.com>
On Apr 1, 2013, at 1:31 PM, Jimmy Hess wrote:
> If your packet source address is clamped, then, by definition a host can't spoof a packet, right; so maybe that's not a host that needs to
> be tested further (the upstream provider might still have no BCP38, it's just not exposed to that particular host).
Folks should implement anti-spoofing southbound of their NATs, using uRPF, ACLs, IP Source Guard, Cable IP Source Verify, or whatever, in order to keep botted hosts attempting to launch outbound/crossbound spoofed DDoS attacks (such as spoofed SYN-floods) from filling up the NAT translation-table and making it fall over, thus creating an outage for everything behind the NAT. I've seen this happen many times, especially in the mobile/fixed wireless space.
Likewise, they should implement anti-spoofing northbound, eastbound, and westbound of the NAT (eastbound and westbound assume it's a network of some scope), so that nothing else on their networks can send spoofed packets to external networks.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton