[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)

Subject: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
From: jared at puck.nether.net (Jared Mauch)
Date: Thu, 8 Aug 2013 13:45:03 -0400
In-reply-to: <CAEmG1=o_E5K3n8MjmovCE7c2GsYELHX1fb_bsgKQZHFYt_E1oQ@mail.gmail.com>
References: <CAJvB4t=MFhVNpmBwKdMrcc5ZCQkO1LSpNbsqtJu27WjQd=cpJA@mail.gmail.com> <CE1EA166.16075%[email protected]> <CAJvB4tngwy0rMwvnUSMkEYGPevE8wRBxZBGfKF8vjGA1JpEOHA@mail.gmail.com> <CA+2UFhksZz9Kb0LRO29STMzj-KZchD94ZxvqibMW=R8tAV_ufw@mail.gmail.com> <[email protected]> <CAJvB4tk2S=D+z_kn_6_tEpGiB2feYGbXTBhimtgZfZ5ikTB7yg@mail.gmail.com> <CAAAwwbWCSsp1a7U43NLU=fwMeGXrSUGZEm0ZVwSkiaEmRDKgXg@mail.gmail.com> <CA+2UFhntL-iKdGc7Ev9UbPB-y5QkO5eA=nxFfsmNMq50ZUkPqA@mail.gmail.com> <[email protected]> <[email protected]> <CAEmG1=o_E5K3n8MjmovCE7c2GsYELHX1fb_bsgKQZHFYt_E1oQ@mail.gmail.com>

On Aug 8, 2013, at 1:40 PM, Matthew Petach <mpetach at netflight.com> wrote:

> 
> 
> On Thu, Aug 8, 2013 at 10:29 AM, Jared Mauch <jared at puck.nether.net> wrote:
> 
> On Aug 1, 2013, at 2:31 AM, Saku Ytti <saku at ytti.fi> wrote:
> 
> > On (2013-07-31 17:07 -0700), bottiger wrote:
> >
> >> But realistically those 2 problems are not going to be solved any time
> >> in the next decade. I have tested 7 large hosting networks only one of
> >> them had BCP38.
> >
> > I wonder if it's truly that unrealistic. If we target access networks, it
> > seems impractical target.
> >
> > We have about 40k origin only ASNs and about 7k ASNs which offer transit,
> > who could arguably trivially ACL those 40k peers.
> >
> > If we truly tried, as a community to make deploying these ACLs easy and
> > actively reach out those 7k ASNs and offer help, would it be unrealistic to
> > have ACL deployed to sufficiently large portion of networks to make
> > spoofing impractical/expensive?
> 
> The following is a sorted list from worst to best of networks that allow spoofing: (cutoff here is 25k)
> 
> (full list - http://openresolverproject.org/full-spoofer-asn-list-201307.txt )
> 
>  
> Count   ASN#
> ------------
> 1323950 3462
> 1300938 4134
> 1270046 8151
> 1213972 9737
> ...
> 
> For the technically clueless among us...
> 
> what does "count" refer to in this output?
> How many times you were able to spoof
> an address through them?  How many
> different addresses you could spoof through
> them?  How many spoofed packets made it
> through before being blocked?
> 
> It's kinda hard to know what the list
> represents without a bit of explanation
> around it.  ^_^;

Number of unique IPs that spoofed a packet to me. (eg: I sent a packet to 1.2.3.4 and 5.6.7.8 responded).

If those ASNs are downstream to you, or you are part of that ASN, you can ask for a list of the IPs involved.

Either way, if you have 1.2 million hosts, it may be a lot of BCP38 you need to apply.

- Jared

Follow-Ups:
- Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
  - From: fw at deneb.enyo.de (Florian Weimer)

References:
- SNMP DDoS: the vulnerability you might not know you have
  - From: bottiger10 at gmail.com (bottiger)
- SNMP DDoS: the vulnerability you might not know you have
  - From: saku at ytti.fi (Saku Ytti)
- Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
  - From: jared at puck.nether.net (Jared Mauch)
- Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
  - From: mpetach at netflight.com (Matthew Petach)

Prev by Date: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
Next by Date: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
Previous by thread: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
Next by thread: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
Index(es):
- Date
- Thread