Hello, Community! I'm writing from RIPE71 / Anti spoofing BoF. So I want to ask for some difficult ethical question. Could we detect probe hosts who do not deploy outgoing filtering and accept spoofed traffic? We need to know amount of they. It's really important for solving spoofing issue in Internet scale. -- Sincerely yours, Pavel Odintsov
On Tue, Nov 17, 2015 at 5:50 PM, Pavel Odintsov <pavel.odintsov@gmail.com> wrote:
I'm writing from RIPE71 / Anti spoofing BoF. So I want to ask for some difficult ethical question.
Could we detect probe hosts who do not deploy outgoing filtering and accept spoofed traffic?
We need to know amount of they. It's really important for solving spoofing issue in Internet scale.
It's been discussed before and some ethical concerns have been raised by RIPE NCC.
From pure technical point of view I think it might be possible some data for Ipv6 (with some false negatives):
- a probe could generate ULA prefix for itself and send traffic from that ULA source to, let's say, some anchors (or some other pre-defined target which is known for allowing packets from ULA sources). Receiving such packet from a probe would prove tat there is no BCP38 filtering on the path (however blocking packets proves only the fact that ULAs are being blocked, not real spoofed packets). Or maybe a probe might get a GUA IP address from RIPE prefix and use it as a source.. As bi-directional communication is not necessary, any source address would work.
-- Sincerely yours, Pavel Odintsov
-- SY, Jen Linkova aka Furry
Hello! Thanks for answer! But actually we have huge issues with IPv4. Could we collect this stats with full anonymous approach for bitting ethical problem here? So we definitely need number of networks who ignore this rules. On Tue, Nov 17, 2015 at 8:00 PM, Jen Linkova <furry13@gmail.com> wrote:
On Tue, Nov 17, 2015 at 5:50 PM, Pavel Odintsov <pavel.odintsov@gmail.com> wrote:
I'm writing from RIPE71 / Anti spoofing BoF. So I want to ask for some difficult ethical question.
Could we detect probe hosts who do not deploy outgoing filtering and accept spoofed traffic?
We need to know amount of they. It's really important for solving spoofing issue in Internet scale.
It's been discussed before and some ethical concerns have been raised by RIPE NCC.
From pure technical point of view I think it might be possible some data for Ipv6 (with some false negatives):
- a probe could generate ULA prefix for itself and send traffic from that ULA source to, let's say, some anchors (or some other pre-defined target which is known for allowing packets from ULA sources). Receiving such packet from a probe would prove tat there is no BCP38 filtering on the path (however blocking packets proves only the fact that ULAs are being blocked, not real spoofed packets). Or maybe a probe might get a GUA IP address from RIPE prefix and use it as a source.. As bi-directional communication is not necessary, any source address would work.
-- Sincerely yours, Pavel Odintsov
-- SY, Jen Linkova aka Furry
-- Sincerely yours, Pavel Odintsov
Wish i were there.. There’s some cool ways to detect this externally that I know some researchers are working on documenting. I think their results will be at NDSS or PAM (i forget which). - Jared
On Nov 17, 2015, at 12:03 PM, Pavel Odintsov <pavel.odintsov@gmail.com> wrote:
Hello!
Thanks for answer!
But actually we have huge issues with IPv4. Could we collect this stats with full anonymous approach for bitting ethical problem here?
So we definitely need number of networks who ignore this rules.
On Tue, Nov 17, 2015 at 8:00 PM, Jen Linkova <furry13@gmail.com> wrote:
On Tue, Nov 17, 2015 at 5:50 PM, Pavel Odintsov <pavel.odintsov@gmail.com> wrote:
I'm writing from RIPE71 / Anti spoofing BoF. So I want to ask for some difficult ethical question.
Could we detect probe hosts who do not deploy outgoing filtering and accept spoofed traffic?
We need to know amount of they. It's really important for solving spoofing issue in Internet scale.
It's been discussed before and some ethical concerns have been raised by RIPE NCC.
From pure technical point of view I think it might be possible some data for Ipv6 (with some false negatives):
- a probe could generate ULA prefix for itself and send traffic from that ULA source to, let's say, some anchors (or some other pre-defined target which is known for allowing packets from ULA sources). Receiving such packet from a probe would prove tat there is no BCP38 filtering on the path (however blocking packets proves only the fact that ULAs are being blocked, not real spoofed packets). Or maybe a probe might get a GUA IP address from RIPE prefix and use it as a source.. As bi-directional communication is not necessary, any source address would work.
-- Sincerely yours, Pavel Odintsov
-- SY, Jen Linkova aka Furry
-- Sincerely yours, Pavel Odintsov
Do we have a statistics on what percentage of probes operate behind NAT? On Tue, Nov 17, 2015 at 7:03 PM, Pavel Odintsov <pavel.odintsov@gmail.com> wrote:
Hello!
Thanks for answer!
But actually we have huge issues with IPv4. Could we collect this stats with full anonymous approach for bitting ethical problem here?
So we definitely need number of networks who ignore this rules.
On Tue, Nov 17, 2015 at 8:00 PM, Jen Linkova <furry13@gmail.com> wrote:
On Tue, Nov 17, 2015 at 5:50 PM, Pavel Odintsov <pavel.odintsov@gmail.com> wrote:
I'm writing from RIPE71 / Anti spoofing BoF. So I want to ask for some difficult ethical question.
Could we detect probe hosts who do not deploy outgoing filtering and accept spoofed traffic?
We need to know amount of they. It's really important for solving spoofing issue in Internet scale.
It's been discussed before and some ethical concerns have been raised by RIPE NCC.
From pure technical point of view I think it might be possible some data for Ipv6 (with some false negatives):
- a probe could generate ULA prefix for itself and send traffic from that ULA source to, let's say, some anchors (or some other pre-defined target which is known for allowing packets from ULA sources). Receiving such packet from a probe would prove tat there is no BCP38 filtering on the path (however blocking packets proves only the fact that ULAs are being blocked, not real spoofed packets). Or maybe a probe might get a GUA IP address from RIPE prefix and use it as a source.. As bi-directional communication is not necessary, any source address would work.
-- Sincerely yours, Pavel Odintsov
-- SY, Jen Linkova aka Furry
-- Sincerely yours, Pavel Odintsov
-- connecting the dots
On Wed, Nov 18, 2015 at 12:57 PM, Alexander Lyamin <melanor9@gmail.com> wrote:
Do we have a statistics on what percentage of probes operate behind NAT?
There is a tag "IPv4 RFC1918" so you can select all probes with that tag to get that number.
On Tue, Nov 17, 2015 at 7:03 PM, Pavel Odintsov <pavel.odintsov@gmail.com> wrote:
Hello!
Thanks for answer!
But actually we have huge issues with IPv4. Could we collect this stats with full anonymous approach for bitting ethical problem here?
So we definitely need number of networks who ignore this rules.
On Tue, Nov 17, 2015 at 8:00 PM, Jen Linkova <furry13@gmail.com> wrote:
On Tue, Nov 17, 2015 at 5:50 PM, Pavel Odintsov <pavel.odintsov@gmail.com> wrote:
I'm writing from RIPE71 / Anti spoofing BoF. So I want to ask for some difficult ethical question.
Could we detect probe hosts who do not deploy outgoing filtering and accept spoofed traffic?
We need to know amount of they. It's really important for solving spoofing issue in Internet scale.
It's been discussed before and some ethical concerns have been raised by RIPE NCC.
From pure technical point of view I think it might be possible some data for Ipv6 (with some false negatives):
- a probe could generate ULA prefix for itself and send traffic from that ULA source to, let's say, some anchors (or some other pre-defined target which is known for allowing packets from ULA sources). Receiving such packet from a probe would prove tat there is no BCP38 filtering on the path (however blocking packets proves only the fact that ULAs are being blocked, not real spoofed packets). Or maybe a probe might get a GUA IP address from RIPE prefix and use it as a source.. As bi-directional communication is not necessary, any source address would work.
-- Sincerely yours, Pavel Odintsov
-- SY, Jen Linkova aka Furry
-- Sincerely yours, Pavel Odintsov
-- connecting the dots
-- SY, Jen Linkova aka Furry
Hello! Could somebody share link to archives with previous discussion of this ethical question? On Wed, Nov 18, 2015 at 3:18 PM, Jen Linkova <furry13@gmail.com> wrote:
On Wed, Nov 18, 2015 at 12:57 PM, Alexander Lyamin <melanor9@gmail.com> wrote:
Do we have a statistics on what percentage of probes operate behind NAT?
There is a tag "IPv4 RFC1918" so you can select all probes with that tag to get that number.
On Tue, Nov 17, 2015 at 7:03 PM, Pavel Odintsov <pavel.odintsov@gmail.com> wrote:
Hello!
Thanks for answer!
But actually we have huge issues with IPv4. Could we collect this stats with full anonymous approach for bitting ethical problem here?
So we definitely need number of networks who ignore this rules.
On Tue, Nov 17, 2015 at 8:00 PM, Jen Linkova <furry13@gmail.com> wrote:
On Tue, Nov 17, 2015 at 5:50 PM, Pavel Odintsov <pavel.odintsov@gmail.com> wrote:
I'm writing from RIPE71 / Anti spoofing BoF. So I want to ask for some difficult ethical question.
Could we detect probe hosts who do not deploy outgoing filtering and accept spoofed traffic?
We need to know amount of they. It's really important for solving spoofing issue in Internet scale.
It's been discussed before and some ethical concerns have been raised by RIPE NCC.
From pure technical point of view I think it might be possible some data for Ipv6 (with some false negatives):
- a probe could generate ULA prefix for itself and send traffic from that ULA source to, let's say, some anchors (or some other pre-defined target which is known for allowing packets from ULA sources). Receiving such packet from a probe would prove tat there is no BCP38 filtering on the path (however blocking packets proves only the fact that ULAs are being blocked, not real spoofed packets). Or maybe a probe might get a GUA IP address from RIPE prefix and use it as a source.. As bi-directional communication is not necessary, any source address would work.
-- Sincerely yours, Pavel Odintsov
-- SY, Jen Linkova aka Furry
-- Sincerely yours, Pavel Odintsov
-- connecting the dots
-- SY, Jen Linkova aka Furry
-- Sincerely yours, Pavel Odintsov
On Wed, 18 Nov 2015, Pavel Odintsov wrote:
Hello!
Could somebody share link to archives with previous discussion of this ethical question?
https://www.ripe.net/ripe/mail/archives/ripe-atlas/2013-September/001005.htm... http://www.gossamer-threads.com/lists/nanog/users/174708 ... for instance. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Wed, Nov 18, 2015 at 03:23:33PM +0300, Pavel Odintsov <pavel.odintsov@gmail.com> wrote a message of 83 lines which said:
Could somebody share link to archives with previous discussion of this ethical question?
https://www.ripe.net/ripe/mail/archives/ripe-atlas/2013-September/001005.htm... https://www.ripe.net/ripe/mail/archives/ripe-atlas/2013-June/000838.html See also the roadmap <https://atlas.ripe.net/docs/roadmap/>, section "Measurements to detect BCP38 compliance"
Thanks! Will read it deeply. On Wed, Nov 18, 2015 at 3:36 PM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Wed, Nov 18, 2015 at 03:23:33PM +0300, Pavel Odintsov <pavel.odintsov@gmail.com> wrote a message of 83 lines which said:
Could somebody share link to archives with previous discussion of this ethical question?
https://www.ripe.net/ripe/mail/archives/ripe-atlas/2013-September/001005.htm... https://www.ripe.net/ripe/mail/archives/ripe-atlas/2013-June/000838.html
See also the roadmap <https://atlas.ripe.net/docs/roadmap/>, section "Measurements to detect BCP38 compliance"
-- Sincerely yours, Pavel Odintsov
On Tue, Nov 17, 2015 at 07:50:16PM +0300, Pavel Odintsov wrote:
Could we detect probe hosts who do not deploy outgoing filtering and accept spoofed traffic?
while this may sound tempting, I think it would be more helpful in the long run to maintain atlas probes as a tool to map the Internet rather than as "spy in the house". -Peter
I don't think the measurement would show usable results, as you don't know if the cpe at the probe would block unknown sources or the provider. For example at my home the v4 connection uses the provider owned cpe nat and v6 would go through my firewall as the sixxs tunnel terminate on it. How would you know where the anti spoofing is implemented? Gesendet von meinem BlackBerry Originalnachricht Von: Peter Koch Gesendet: Dienstag, 17. November 2015 19:02 An: ripe-atlas@ripe.net Betreff: Re: [atlas] Spoofing measurenments On Tue, Nov 17, 2015 at 07:50:16PM +0300, Pavel Odintsov wrote:
Could we detect probe hosts who do not deploy outgoing filtering and accept spoofed traffic?
while this may sound tempting, I think it would be more helpful in the long run to maintain atlas probes as a tool to map the Internet rather than as "spy in the house". -Peter
On Tue, Nov 17, 2015 at 07:01:24PM +0100, Peter Koch <pk@DENIC.DE> wrote a message of 10 lines which said:
while this may sound tempting, I think it would be more helpful in the long run to maintain atlas probes as a tool to map the Internet rather than as "spy in the house".
Hmmm, the Atlas probe already learns a lot about the house and publishes it: * "this house uses Google Public DNS" * "this house uses a validating DNS resolver" * "this house uses IPv6 ULA"
Hi, Perhaps some people who are interested in topic are not aware: CAIDA runs a "spoofer project" with precisely this goal. You can find more info and statistics here: http://spoofer.caida.org/summary.php Regards, Robert
Its well known. Nice attempt, but its ridden with "survivors bias". On Thu, Nov 19, 2015 at 11:52 AM, Robert Kisteleki <robert@ripe.net> wrote:
Hi,
Perhaps some people who are interested in topic are not aware: CAIDA runs a "spoofer project" with precisely this goal.
You can find more info and statistics here: http://spoofer.caida.org/summary.php
Regards, Robert
-- Alexander Lyamin CEO | Qrator <http://qrator.net/>* Labs* office: 8-800-3333-LAB (522) mob: +7-916-9086122 skype: melanor9 mailto: la@qrator.net
On 17.11.15 17:50 , Pavel Odintsov wrote:
Hello, Community!
I'm writing from RIPE71 / Anti spoofing BoF. So I want to ask for some difficult ethical question.
Could we detect probe hosts who do not deploy outgoing filtering and accept spoofed traffic?
We need to know amount of they. It's really important for solving spoofing issue in Internet scale.
Why exactly do we need to know the exact amount of this problem? We surely know it exists and that it is widespread enough to allow serious reflection attacks. We will know that we are solving the problem when these attacks are getting less. Why not measure that? Would it not be much better to get all ISPs to do something about it? If we are interested in the amount of BCP-38 compliant address space we could just ask. Those that implement it or are in the process of doing so will gladly tell us since that shows them as good citizens. How about getting address space users to publish the BCP-38 status of their address space holdings like this? BCP-38 fully implemented BCP-38 100% implemented by <date> BCP-38 considering Maybe add an attribute to the inetnum:s in the database? Run a campaign to encourage porganisations to publish BCP-38 status and shame those that do not. That would provide a useful measure and also raise awareness! In the case of ISPs it would be open to verification by customers. Daniel
On 23/11/2015 12:03, Daniel Karrenberg wrote:
Why exactly do we need to know the exact amount of this problem?
it would be useful to know the sources of the problem. Nick
On Mon, Nov 23, 2015 at 02:01:08PM +0100, Daniel Karrenberg wrote:
On 23.11.15 13:11 , Nick Hilliard wrote:
On 23/11/2015 12:03, Daniel Karrenberg wrote:
Why exactly do we need to know the exact amount of this problem?
it would be useful to know the sources of the problem.
Those would be the ones not reporting to implement BCP-38.
You are over-optimistic. Piotr -- gucio -> Piotr Strzyżewski E-mail: Piotr.Strzyzewski@polsl.pl
On 23/11/2015 13:01, Daniel Karrenberg wrote:
On 23.11.15 13:11 , Nick Hilliard wrote:
On 23/11/2015 12:03, Daniel Karrenberg wrote:
Why exactly do we need to know the exact amount of this problem?
it would be useful to know the sources of the problem.
Those would be the ones not reporting to implement BCP-38.
I know of a bunch of organisations that quietly implement bcp38 but don't talk about it. Also, add to the problem that just because a provider supports bcp38, that doesn't mean they support bcp38 everywhere on their network. Like any fence, you can end up with holes appearing due to poor installation or lack of maintenance. Overall it's a problem which would benefit from good quality characterisation. This isn't a request for Atlas to be the mechanism to do this, btw, but there would be value in having an opt-in mechanism with informed consent. This should be sufficient to deal with ethical issues associated with spoof testing. Nick
Nick Hilliard wrote on 23/11/15 13:11:
On 23/11/2015 12:03, Daniel Karrenberg wrote:
Why exactly do we need to know the exact amount of this problem?
it would be useful to know the sources of the problem.
Agree. It is also important to be able to track the overall trend. Stats on volumetric DDoS attacks are not a good indicator, since they depend on other factors like number and amplification capabilities of reflectors and botnet parameters. I doubt that without good measurements and traceability we can effectively address this problem. Having said that I do not think Atlas can really help. Atlas can only offer a fraction of devices that can effectively spoof (although I heard that not every NAT device prevents spoofing for any IP range). And its deployment is not uniform, so the results won't be more statistically representative than those from Spoofer (http://spoofer.caida.org/). Sigh... Andrei
participants (14)
-
Alexander Lyamin -
Alexander Lyamin -
Andrei Robachevsky -
Daniel Karrenberg -
Jared Mauch -
Jen Linkova -
Karsten Thomann -
Mikael Abrahamsson -
Nick Hilliard -
Pavel Odintsov -
Peter Koch -
Piotr Strzyzewski -
Robert Kisteleki -
Stephane Bortzmeyer