Home page logo
/

nanog logo nanog mailing list archives

Re: Anti-spoofing: is anyone doing it?
From: Steve Schaefer <schaefer () simone dashbit com>
Date: Sat, 26 May 2001 22:17:38 -0700 (PDT)


I think you should allow it as an explicit case.  That is, you should
block unknown IP addresses as a general policy, but allow it by static
entry whenever anyone asks.  As the direct access provider, you should be
responsible for blocking spoofing.

Your BGP peers, recognizing you as an ISP should accept that you are a
significant provider and allow you to manage your own policies.
Alternatively, they should ask you what your policies are, and block
spoofing from your network only if you are not blocking spoofing yourself.

As part of our business, we manage a voluntary community of test points,
which primarily do remote traceroutes for the other members of the
community.  I've looked at a lot of outbound routes, and I can verify that
your 5% number is in the right ballpark.  Maybe a little high, but
reasonable.

Unconventional outbound routing policies are not always as clear as the
simple case that you gave.  I've seen outbound traffic split by an ISP
between two upstreams, apparently based on some static mapping of
destination IP address (not based on BGP routes...)  I've also seen all
outbound traffic routed to one backbone AS where the source addresses are
part of a different backbone AS.

But if you want to see something really weird, try this looking glass:

http://lookingglass.glassberg.org/cgi-bin/lg.pl

Trace to one of our addresses, if you like: 192.35.156.23

They seem to split their outbound traffic in some random way between
Genuity and UU Net.  If anyone can tell me what they are doing, I'd love
to know.

In any case, weirdness abounds.  Accomodating customers who are weird is
part of life, as long as they are willing to tell you what they are trying
to do.


Steve Schaefer

Dashbit - The Leader In Internet Topology
www.dashbit.com         www.traceloop.com


On Sun, 27 May 2001, Hank Nussbacher wrote:


I have recently been researching anti-spoofing for two ISPs and have an
operational question or two.

We have found that about 5% of sites are connected to 2 ISPs but do not use
BGP.  They use two different sets of IP addresses and point default to one
of the two ISPs.  The return traffic will of course go to them via one of
the two ISPs, but if you have anti-spoofing filters set up or try to set it
up now, you will break their outgoing traffic.

Reasons to allow it:

1) Here we have multihomed customers, who are not eating up ASN space and
are not asking for PI space and are happy the way they are working.  By
stopping them, we will force this 5% to ask for ASNs and PI space.  So for
the general well-being of the Internet - why not just let them be.
2) Anti-spoofing is set up to stop attacks from unknown IPs (RFC1918) or
from an IP that doesn't belong to you.  In this case, the IP can be traced
back to the user (via ISP #2).
3) If you block it, the customer will leave and go to another ISP that does
not block these IP addresses.

Reasons to not allow it:

1) If ISP #1 has blocked the customer due to being an open mail relay
(example), and then that customer just sends the traffic out via ISP #2
(using ISP #1 IPs), they have circumvented the filter and blame will be
placed on ISP #1 for not stopping an open email relay (this has actually
happened once before).
2) I should not be announcing traffic for IPs that I am not announcing
routing updates.

I am curious if others have found this 5% occurence and I am curious why no
one else has raised this issue before.  Could it be that almost no one is
running uRPF and/or anti-spoofing filters?

Thanks,
Hank






  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]