Re: WW: Bruce Schneier on why security can't work

The US law enforcement is getting closer and closer at being able to be DDoS-ed very effectively because of all of their advisories about "see something, say something" and all other scare tactics crap they come up with. I mean it's bad some guy shot up a lot of people in a theater or in a school,

Re: [c-nsp] DNS amplification

Yes, BCP38 is the solution. Now, how widely is deployed? Someone said in the IEPG session during the IETF86 that 80% of the service providers had done it? This raises two questions for me. One, is it really 80%, how to measure it? Second, if it were 80%

Re: [c-nsp] DNS amplification

On Sun, Mar 17, 2013 at 11:33 AM, Arturo Servin wrote: > > Yes, BCP38 is the solution. > > Now, how widely is deployed? > > Someone said in the IEPG session during the IETF86 that 80% of the > service providers had done it? right... sure. > This raises two questio

Long ARP reply

Re: [c-nsp] DNS amplification

On Sun, 17 Mar 2013, Arturo Servin wrote: Now, how widely is deployed? Someone said in the IEPG session during the IETF86 that 80% of the service providers had done it? This raises two questions for me. One, is it really 80%, how to measure it? Second, if it w

Why would a Facebook device be sending Spi packets at home user ?

Hello All , Maybe I am missing (or have missed) something . Here is the log entry & dig & whois info . Just kinda interested in info on this phenomenon . I've received many SPI assoc. requests at my poor ol' router over the few years it's been online , Most of them a

Re: [c-nsp] DNS amplification

They should publish the spoofable AS. Not for public shame but at least to show the netadmins that they are doing something wrong, or if they are trying to do the good think is not working. Or at least a tool to check for your ASN or netblock. /as On 3/17/13 1:35 PM, Christopher

Re: [c-nsp] DNS amplification

On Sun, Mar 17, 2013 at 6:36 PM, Arturo Servin wrote: > > They should publish the spoofable AS. Not for public shame but at > least > to show the netadmins that they are doing something wrong, or if they > are trying to do the good think is not working. > > Or at least a tool to c

Re: [c-nsp] DNS amplification

On 3/17/13, Jon Lewis wrote: > On Sun, 17 Mar 2013, Arturo Servin wrote: > You'd have to get access (cloud VM, dedicated server, etc.) on each > network and see if you can successfully get spoofed packets out to > another network. If you have packet data about a sufficient number of different ki

Re: [c-nsp] DNS amplification

On Sun, Mar 17, 2013 at 7:04 PM, Jimmy Hess wrote: > If you have a sufficiently massive number of traffic sensors, and > massive data gathering infrastructure, close enough to the attacks, > it may be possible to analyze the microsecond-level timing of packets, > and the time sequence/order they

Re: [c-nsp] DNS amplification

Arturo Servin wrote: > Yes, BCP38 is the solution. It is not a solution at all, because it, instead, will promote multihomed sites bloats the global routing table. To really solve the problem in an end to end fashion, it is necessary to require IGPs carry information for the proper source

Re: [c-nsp] DNS amplification

In message <51469fae.7030...@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes: > Arturo Servin wrote: > > > Yes, BCP38 is the solution. > > It is not a solution at all, because it, instead, will promote > multihomed sites bloats the global routing table. How does enforcing that source addr

Re: [c-nsp] DNS amplification

Mark Andrews wrote: >>> Yes, BCP38 is the solution. >> >> It is not a solution at all, because it, instead, will promote >> multihomed sites bloats the global routing table. > > How does enforcing that source address entering your net from > customers sites match thoses that have been allocat

Re: [c-nsp] DNS amplification

On Mar 18, 2013, at 12:47 PM, Masataka Ohta wrote: > See draft-ohta-e2e-multihoming-05 for details. See for an actual solution to the problem of routing-table bloat, which has nothing to do with BCP38/84. --

Re: [c-nsp] DNS amplification

On 3/17/13, Damian Menscher wrote: > Once you know an ISP hasn't implemented BCP38, what'st the next step? > De-peering just reduces your own visibility into the problem. What if In general, a hard problem, not directly solvable in any obvious way. It's similar to the question of what's the n