I don't want to detract from the heat of this discussion, as
important as it is, but it (the discussion) illustrates a point
that RIPE has recognized -- and is actively perusing -- yet, ISPs
on this continent seem consistently to ignore: The consistent
implementation of BCP 38.
It is nothing less than irresponsible, IMO...
Why _is_ that?
- ferg
Do you have any data concerning the actual consistent deployment of BCP38++ in different parts of the world?
I don't want to detract from the heat of this discussion, as
important as it is, but it (the discussion) illustrates a point
that RIPE has recognized -- and is actively perusing -- yet, ISPs
on this continent seem consistently to ignore: The consistent
implementation of BCP 38.
oh? you have knowledge that this botnet attack used spoofed source
addresses?
randy
The same people I mentioned the other day as not having enough clue to
do DNS correctly don't have enough clue to do BCP38 correctly either.
As one person mentioned, if stuff still requires pioneer-level skillsets
to use, the pioneers have more work to do. The problem is that the
following wave seems to be made up mostly of chimpanzees, and nobody's
figured out how to make routers and network services that can be run
by chimps...
Maybe the new slogan needs to be "Save the Internet! Train the chimps!"
Maybe the new slogan needs to be "Save the Internet! Train the chimps!"
Shouldnt 'ip verify unicast source reachable-by rx' be a default setting on all interfaces? Only to be removed by trained chimps?
-Matt
what's curious, to me atleat, is that folks equate 'botnet' and 'spoofed
source attacks' more often than I'd think is reasonable. I've not got
'hard numbers' but almost every time the attack is determined to be
'botnet' it's not spoofed.
Odd... (not that I'm against bcp38, I just think the distraction in
conversation from 'bcp38 is good' to 'we must stop bots' is not helpful)
what's curious, to me atleat, is that folks equate 'botnet' and 'spoofed
source attacks' more often than I'd think is reasonable. I've not got
'hard numbers' but almost every time the attack is determined to be
'botnet' it's not spoofed.Odd... (not that I'm against bcp38, I just think the distraction in
conversation from 'bcp38 is good' to 'we must stop bots' is not helpful)
bingo!
when you have religion about a hammer, everything looks like a
nail.
randy
Matthew Crocker wrote:
Maybe the new slogan needs to be "Save the Internet! Train the chimps!"
Shouldnt 'ip verify unicast source reachable-by rx' be a default setting on all interfaces? Only to be removed by trained chimps?
Only if you wish to break existing configurations during IOS upgrades. I could see ip verify unicast source reachable-by any (less breakage), but rx will kill all types of good asymmetric routing. The largest breakage I have seen caused by rx is the link IP breakage caused by the router responding out multiple interfaces. It's also a problem when customers are straddling the fence, purposefully using asymmetric routing.
It would be nicer to have router support where a packet is acceptable if it's network is acceptable in the BGP (or IGP) policy/filter (ie, network may not be there, but it is allowed) as well as the link addresses associated with the BGP (or IGP) peer.
-Jack
SAT time.
Almost all spoofed attacks are run by botnets.
Almost all attacks are run by botnets
Almost all spoofed attacked are bigger by a large factor
Almost all botnet attacks are spoofed attacks? Not quite.
That's about it.