[prev in list] [next in list] [prev in thread] [next in thread]
List: nanog
Subject: Re: urpf - evil?
From: Martijn Schmidt via NANOG <nanog () nanog ! org>
Date: 2020-10-30 20:16:12
Message-ID: CY4PR17MB16692EA59069E306A17213A19E150 () CY4PR17MB1669 ! namprd17 ! prod ! outlook ! com
[Download RAW message or body]
Hi Baldur,
You are at risk of facilitating spoofed and/or reflection DDoS attacks if you don't \
implement BCP38.. that's why uRPF exists. :)
Best regards,
Martijn
________________________________
From: NANOG <nanog-bounces+martijnschmidt=i3d.net@nanog.org> on behalf of Baldur \
Norddahl <baldur.norddahl@gmail.com>
Sent: 30 October 2020 20:29
To: nanog@nanog.org <nanog@nanog.org>
Subject: urpf - evil?
Hello
While working on my ACLs I noticed that I was successful in blocking some apparently \
spoofed IPv6 traffic. The destination was Facebook and the source was IPv6 range \
belonging to a mobile operator that sells 4G Wifi router based solutions.
So thinking about how and why a few customers end up sending packets to our network \
with the wrong source, I came up with a theory (not validated): What if the customer \
connects his 4G Wifi router to one of the LAN ports of our CPE (or visa versa)? His \
computer would then pick up an IPv6 range from both ISPs along with two default \
routes. But only one default route would be used, and in this case that was \
apparently the default route going to our network. But still his computer might use \
the IPv6 address from the other ISP as source and therefore he ends up "spoofing" by \
sending that to us. We deliver the packets to Facebook and I assume Facebook will \
route the replies just fine through the other ISP.
Now the thing is that my impression is that it actually works so long I do not \
actively block it with uRPF or ACLs on our edge. I have learned that spoofing is evil \
and I should be blocking this - but why am I sabotaging something that apparently is \
doing just fine at some customers?
Regards,
Baldur
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
<div>Hi Baldur, </div>
<div><br>
</div>
<div>You are at risk of facilitating spoofed and/or reflection DDoS attacks if you \
don't implement BCP38.. that's why uRPF exists. :) </div> <div><br>
</div>
<div>Best regards, </div>
<div>Martijn </div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" \
style="font-size:11pt" color="#000000"><b>From:</b> NANOG \
<nanog-bounces+martijnschmidt=i3d.net@nanog.org> on behalf of Baldur Norddahl \
<baldur.norddahl@gmail.com><br> <b>Sent:</b> 30 October 2020 20:29<br>
<b>To:</b> nanog@nanog.org <nanog@nanog.org><br>
<b>Subject:</b> urpf - evil?</font>
<div> </div>
</div>
<div>
<div dir="ltr">Hello
<div><br>
</div>
<div>While working on my ACLs I noticed that I was successful in blocking some \
apparently spoofed IPv6 traffic. The destination was Facebook and the source was IPv6 \
range belonging to a mobile operator that sells 4G Wifi router based solutions.</div> \
<div><br> </div>
<div>So thinking about how and why a few customers end up sending packets to our \
network with the wrong source, I came up with a theory (not validated): What if the \
customer connects his 4G Wifi router to one of the LAN ports of our CPE (or visa \
versa)? His computer would then pick up an IPv6 range from both ISPs along with two \
default routes. But only one default route would be used, and in this case that was \
apparently the default route going to our network. But still his computer might use \
the IPv6 address from the other ISP as source and therefore he ends up \
"spoofing" by sending that to us. We deliver the packets to Facebook and I \
assume Facebook will route the replies just fine through the other ISP.</div> \
<div><br> </div>
<div>Now the thing is that my impression is that it actually works so long I do \
not actively block it with uRPF or ACLs on our edge. I have learned that spoofing is \
evil and I should be blocking this - but why am I sabotaging something that \
apparently is doing just fine at some customers?</div>
<div><br>
</div>
<div>Regards,</div>
<div><br>
</div>
<div>Baldur</div>
<div><br>
</div>
</div>
</div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic