They are not suggesting centralization. They are suggesting bcp38 [0] This comes up quite often and people argue back and forth why they (the ISP's) can't or won't do this. Bcp38 simply requires ISP's to egress filter out IP traffic that does not belong to them.
I don't follow. Seems to me that whatever program/firmware on the router knows where to send incoming packets must also be able to trivially check and filter the addresses of outgoing ones.
Nope, not in the age of software defined networks. It's crazy to me this is still a problem. I worked at an ISP and VPS provider years ago on a tiny engineering team. We employed anti-spoofing at multiple layers; from the hypervisor out to the edge. It's usually just an extra line in a much larger, more complicated network config. In fact, if I were ranking the networking challenges from most to least mental cycles it would be near the bottom.
Bad/undesired decisions don’t require blatant corruption. This seems a simple case of poor incentives. If an ISP does egress filtering well, essentially no one notices. If they screw it up, customers lose connectivity and some portion of those customers will likely leave for a competitor. There’s risk with no reward.
Locally, yes. Spoofing IPs is one way of having a multi-homed cluster always respond on a given IP. (Higher layers figure out what's really going on, and co-ordinate responses correctly to end clients.)
In the sense of where bcp38 should be applied? I agree that it should be POSSIBLE, through some administrative means, to prove an entity does in fact own a given address range and to request the additional privilege of sending data as if it were from that range.
This would be how a non-ISP obtains an independent entity allocation and sets up multi-homing.
It's also how data-centers would allow a co-located server to do the same (and should require the same steps).
At the more backbone levels it should be possible to automatically determine IF ingress packets are from authorized sources. Failure to do this, and failure to respond in a timely manor to filtering invalid ingress, should result in 1) those packets being rejected (and visible rejection notices sent back) 2) if the issue persists, the source of that address being blocked /entirely/ from the Internet, as a non-administered system.
Grace time should likely depend on the severity of the issue (volume of problem traffic/load on the upstream filtering capacity).
Of course there are, just like there are many valid reasons for leaving a return address off of postal mail.
Imagine the anonymity of the type of P2P networks that could be built if end users could still rely on ip->saddr not being required. Broadcast a request for a specific file, and then willing/able peers could anonymously stream fountain-coded bulk data, and nobody would be able to tell who actually supplied the file.
There are some legit uses to faking the source of an UDP address. Usually clustering or failover. Can also be useful when you have multiple gateways to the internet.
There is also, always, penetration testing where you legit want to do it to see if the network holds up to it.
Bgp hijacking is possible because bgp isn’t really authenticated. It would be difficult to authenticate but if that were done it would not prevent anycast routing.
Your incumbent won't do filtering.
Your incumbent won't maintain proper 'route' objects https://www.ripe.net/manage-ips-and-asns/db/support/managing...
Your shoestring independent ISP won't to that either.
Who is left? Tier1 ISP and some of them do BCP38 filtering sometimes on some ports.
As someone who has been doing 'shoestring independent ISPs' for almost 15 years my impression is that nearly all upstream providers (the ones we buy service from - not always but sometimes tier 1 providers) do outgoing IP filtering. Whenever I get a new IPv4 allocation from ARIN (at least when we used to be able to do that - they're all gone now) we had to go through a process with our upstream provider so that they would allow our BGP advertisements for that block as well as allow those source addresses to route through their network.
They may filter what routes you can advertise via BGP, but nearly every Tier 1(And most Tier 2) providers will accept traffic sourced from any IP address. I handle about 10 different connections and can source traffic from any IP on all of them.
This is an odd change from Cloudflare. Were it not for the DDoS amplification problem it'd be perfectly reasonable to make recursive DNS servers publicly accessible, but memcached servers should never be exposed to the public internet - they're not designed to be and doing so allows everyone to exfiltrate, modify or delete the cached data which you almost certainly don't want to be possible.
Right, exposing a memcached server is bad because memcached isn't meant to be public. However, in the context of DRDoS discussions it doesn't matter if the UDP service is good for public exposure. That's completely a distraction from the underlying IP spoofing disease that enables attacks on all connectionless protocols.
37 comments
[ 4.1 ms ] story [ 69.8 ms ] threadBecause all traffic is treated at face value and not deep filtered and throttled according to some company's whims.
Cloudflare wants to change this. Cloudflare wants centralization. Cloudflare wants blacklists.
[0] - https://tools.ietf.org/html/bcp38
"ip verify unicast source reachable-via rx" in the Cisco world.
Who stands to gain from this and how much are they willing to kickback for "looking the other way"?
I’m not sure DDOS traffic is really significant from an egress standpoint.
For example, on the server side, BGP hijacking and anycast routing are enabled by the same bug or feature, depending how you look at it.
Testing?
In the sense of where bcp38 should be applied? I agree that it should be POSSIBLE, through some administrative means, to prove an entity does in fact own a given address range and to request the additional privilege of sending data as if it were from that range.
This would be how a non-ISP obtains an independent entity allocation and sets up multi-homing.
It's also how data-centers would allow a co-located server to do the same (and should require the same steps).
At the more backbone levels it should be possible to automatically determine IF ingress packets are from authorized sources. Failure to do this, and failure to respond in a timely manor to filtering invalid ingress, should result in 1) those packets being rejected (and visible rejection notices sent back) 2) if the issue persists, the source of that address being blocked /entirely/ from the Internet, as a non-administered system.
Grace time should likely depend on the severity of the issue (volume of problem traffic/load on the upstream filtering capacity).
https://omri.org.il/2014/08/08/hacking-asymmetric-and-symmet...
Imagine the anonymity of the type of P2P networks that could be built if end users could still rely on ip->saddr not being required. Broadcast a request for a specific file, and then willing/able peers could anonymously stream fountain-coded bulk data, and nobody would be able to tell who actually supplied the file.
There is also, always, penetration testing where you legit want to do it to see if the network holds up to it.
https://www.caida.org/projects/spoofer/
What was your experience?
https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-o...