Here's a piece which uses the MIT ANA data to assert that the job is mostly done already.
Unless I'm very much mistaken, it appears that a large percentage of the failed BCP 38 spoofing tests listed in that data are actually due to customer side NAT routers dropping packets...
which is of course egress filtering rather than ingress filtering, and thus doesn't actually apply to our questions.
I'm not surprised in any regard. There are too many names for BCP-38, SAV, SSAC-004, BCP-84, Ingress Filtering, etc..
There are many networks that perform this best practice either by "default" through NAT/firewalls or by explicit configuration of the devices.
There are many networks that one will never be able to measure nor audit as well, but that doesn't mean we shouldn't continue to work on tracking back spoofed packets and reporting the attacks, and securing devices.
Barry is a well respected security researcher. I'm surprised he
posted this.
In his defense, he did it over a year ago (June 11, 2012). Maybe
we should ask him about it. I'll do that now....
I'm not surprised in any regard. There are too many names for
BCP-38, SAV, SSAC-004, BCP-84, Ingress Filtering, etc..
This is why I am now using the phrase "anti-spoofing" when talking
about this in public. It far less cryptic, and I am breaking into
bite-sized components that people can actually understand.
As engineers & technical people, we need to start using language
people can wrap their brains around easily.
Remember: We are living in the age of instant gratification and
Attention Deficit Disorder.
- - ferg
There are many networks that perform this best practice either by
"default" through NAT/firewalls or by explicit configuration of the
devices.
There are many networks that one will never be able to measure nor
audit as well, but that doesn't mean we shouldn't continue to work
on tracking back spoofed packets and reporting the attacks, and
securing devices.
- Jared
- --
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
I agree that Barry's post can be read in misleading ways and I seem to
recall chatting about that with him at some point.
As to one poster's comment about random sampling, I'm pretty sure the
Spoofer project likely fell short in a number of ways (e.g. being
documented in not every language).
So, if NATs prevent (many? most?) end-user machines for being able inject
spoofed IPv4 source addresses (IPv6 home gateways may well not provide such
protection), maybe we should conclude that most of the spoofing is coming
from somewhere else; perhaps including colo and cloud providers.
I wonder how many users/admins of those kinds of machines ran the Spoofer
test SW.
My theory - not yet backed by data - is that probably most spoofed traffic these days does in fact emanate from IDC networks, and that a non-trivial proportion of same emanates from a relatively small number of such networks.
In many cases, it's possible to put 'naked' hosts on home broadband connections, however - and how common that is, and what proportion of those broadband access networks don't run any form of anti-spoofing, is an open question.
