[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BCP38 tester?

On Apr 1, 2013, at 1:31 PM, Jimmy Hess wrote:

> If your packet source address is clamped, then, by definition a host can't spoof a packet, right;  so maybe that's not a host that needs to
> be tested further  (the upstream provider might still have no BCP38, it's just not exposed to that particular host).

Folks should implement anti-spoofing southbound of their NATs, using uRPF, ACLs, IP Source Guard, Cable IP Source Verify, or whatever, in order to keep botted hosts attempting to launch outbound/crossbound spoofed DDoS attacks (such as spoofed SYN-floods) from filling up the NAT translation-table and making it fall over, thus creating an outage for everything behind the NAT.  I've seen this happen many times, especially in the mobile/fixed wireless space.

Likewise, they should implement anti-spoofing northbound, eastbound, and westbound of the NAT (eastbound and westbound assume it's a network of some scope), so that nothing else on their networks can send spoofed packets to external networks.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton