[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Thank you, Comcast.

On Fri, Feb 26, 2016 at 6:28 AM, Jared Mauch <jared at puck.nether.net> wrote:

> As a community we need to determine if this background radiation and these
> responses are proper. I think it's a good response since vendors can't do
> uRPF at line rate and the major purchasers of BCM switches don't ask for it
> and aren't doing it, so it's not optimized or does not exist. /sigh

I don't agree with the approach of going after individual reflectors
(open*project) or blocking specific ports (Comcast's action here) as both
are reactive, unlikely to be particularly effective (there are still
millions of reflectors and plenty of open ports available), and don't solve
the root problem (spoofed packets making it onto the public internet).
What I'd much rather see Comcast do is use their netflow to trace the
source of the spoofed packets (one of their peers or transit providers, no
doubt) and strongly encourage (using their legal or PR team as needed) them
to trace back and stop the spoofing.  This benefits everyone in a much more
direct and scalable way.  Until some of the larger providers start doing
that, amplification attacks and other spoofed-source attacks (DNS and
synfloods) will continue to thrive.

(I've contacted several ISPs about the spoofed traffic they send to us.
The next major hurdle is that so many don't have netflow or other useful
monitoring of their networks....)