[dns-operations] SAC004 & BCP38 [was: DNS deluge forx.p.ctrc.cc]
Mark Andrews
Mark_Andrews at isc.org
Thu Mar 2 13:38:05 UTC 2006
> > [...Spoofing should be blocked / spoofing should not be blocked...]
> > > I consider 'spoofing' the practice of forging your IP header to
> > be someone
> > > you are not. This is a bit different than using your IP space across
> > > multiple providers, however I agree that in most instances it
> > can be used to
> > > describe both.
> >
> > If there's a both a 'legitimate' and malicious use of the same technique
> > (or very similar techniques), then sorting between the good guys and the
> > bad guys on our routers is going to be tough...
>
> He's not saying there are both legitimate and malicious uses for spoofing,
> he's saying one is spoofing the other is a misconfiguration and he's right.
Actually one is spoofing and one is a perfectly legitimate
configuration. It's how IP was designed to work.
And I don't believe it will be that tough. Configure the
firewall/router so that you can determine the edge networks
that appear to be sending from forged addresses. Notify
them that you are seeing traffic not from their assigned
address range and ask them is this legitimate traffic or
not. If it is legitimate traffic then please specify the
address ranges to be added to the the BCP38 filters. Then
say you intend to filter all traffic from unknown sources
in X days where X is small.
You don't actually have to block those that respond
immediately. Just block those that don't respond or that
say that it is not legitimate traffic.
This gives you time to engineer something sane for the
customers that do need to send multiple addresses while
blocking out the bots running on all the others. A initial
partial solution is better than no attempt at all.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list