large BCP38 compliance testing

[brak at gameservers.com (Brian Rak)]

On 10/2/2014 6:10 AM, Mikael Abrahamsson wrote:
>
> Hi,
>
> To fix a lot of the DDOS attacks going on, we need to make sure BCP38 
> compliance goes up. Only way to do this I can think of, is large scale 
> BCP38 testing. One way of doing this, is to have large projects such 
> as OpenWRT, RIPE Atlas project, perhaps even CPE vendors, implement 
> something that would spoof 1 packet per day or something to a known 
> destination, and in this packet the "real" source address of the 
> packet is included.
>
> I have been getting pushback from people that this might be "illegal". 
> Could anyone please tell me what's illegal about trying to send a 
> packet with a random source address?
>
> If we can get consensus in the operational world that this is actually 
> ok, would that help organisations to implement this kind of testing. I 
> could see vendors implement a test like "help verify network stability 
> and compliance, these tests are anonymous" checkbox during the initial 
> install, or something like this.
>
> Why isn't this being done? Why are we complaining about 300 gigabit/s 
> DDOS attacks, asking people to fix their open resolvers, NTP servers 
> etc, when the actual culprit is that some networks in the world don't 
> implement BCP38?
>

A lot of the discussion on BCP38 seems to be around providers who are 
unintentionally allowing IP spoofing.

What about providers who knowingly allow IP spoofing, because it's 
profitable?

There's a provider that basically caters to the DDOS-as-a-service 
industry by selling servers with unmetered connections, where they allow 
IP spoofing. (If you've ever looked into this at all, you know exactly 
who I'm talking about).