On 2016-03-09 08:38, Grosser Stefan wrote:
Hi Everyone,
I am currently writing a little thesis about DDoS mitigations and would like to pickup an old topic: BCP38 While searching in the caves of the Swinog archive I didn't found much information in the past about this subject. Only a unanswered Mail-Post from 2014 from Jeroen Massar [1]
I would like to know how spoofable Switzerland's ISP/Netowrks are. It would be very nice if some of you Swinogers would participate in my survey.
VERY spoofable.
Which is why nobody really dares to talk about it likely as it is a huge infrastructure problem that ISPs do not want to invest in to resolve.
Noting that some hardware does not allow an ISP to do proper BCP38 either (even though people have been whining at Cisco and the likes for about a decade), but it is ridiculous that the edge does not filter simply on source prefixes.
The bigger problem than hardware is simply that many ISPs do not understand why BCP38/SAVE is important to implement.
but you are in luck, CAIDA recently took over the Spoofer project with a grant from the US government. And they are nicely going to publish and name and shame spoofable networks, please see:
http://blog.caida.org/best_available_data/2015/05/28/caida-takes-over-stewar...
and the main website http://spoofer.caida.org/
I suggest you contact KC Claffy for details about Switzerland ;)
Oh and yes: Dear ISPs: FIX YOUR ***** NETWORK!
As soon you'll be in the newspapers that you allow spoofed mostly untraceable DDoS from your networks to other networks, that will have a nice PR effect for you... (apparently both Heise and even the NZZ where really where interested in the data :)
For those ISPs that are willing to fix things, pleae check: https://www.routingmanifesto.org/manrs/
where on the Participant list you will only find SwissCom: https://www.routingmanifesto.org/participants/
Unfortunately they do not enforce that to other ISPs (and afaik not all of their network actually really complies with it...), it would be great if networks actually followed the full set of MANRS...
Greets, Jeroen