[dns-operations] SAC004 & BCP38 [was: DNS deluge forx.p.ctrc.cc]

Mark Andrews Mark_Andrews at isc.org
Thu Mar 2 13:38:05 UTC 2006

> > [...Spoofing should be blocked / spoofing should not be blocked...]
> > > I consider 'spoofing' the practice of forging your IP header to
> > be someone
> > > you are not.  This is a bit different than using your IP space across
> > > multiple providers, however I agree that in most instances it
> > can be used to
> > > describe both.
> >
> > If there's a both a 'legitimate' and malicious use of the same technique
> > (or very similar techniques), then sorting between the good guys and the
> > bad guys on our routers is going to be tough...
> He's not saying there are both legitimate and malicious uses for spoofing,
> he's saying one is spoofing the other is a misconfiguration and he's right.

	Actually one is spoofing and one is a perfectly legitimate
	configuration.  It's how IP was designed to work.
	And I don't believe it will be that tough.  Configure the
	firewall/router so that you can determine the edge networks
	that appear to be sending from forged addresses.  Notify
	them that you are seeing traffic not from their assigned
	address range and ask them is this legitimate traffic or
	not.  If it is legitimate traffic then please specify the
	address ranges to be added to the the BCP38 filters.  Then
	say you intend to filter all traffic from unknown sources
	in X days where X is small.

	You don't actually have to block those that respond
	immediately.  Just block those that don't respond or that
	say that it is not legitimate traffic.

	This gives you time to engineer something sane for the
	customers that do need to send multiple addresses while
	blocking out the bots running on all the others.  A initial
	partial solution is better than no attempt at all.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list