
The real reason for large DDoS attacks? It's IP Spoofing, not memcached - majke
https://blog.cloudflare.com/the-root-cause-of-large-ddos-ip-spoofing/
======
betaby
Your incumbent won't do filtering. Your incumbent won't maintain proper
'route' objects [https://www.ripe.net/manage-ips-and-
asns/db/support/managing...](https://www.ripe.net/manage-ips-and-
asns/db/support/managing-route-objects-in-the-irr) Your shoestring independent
ISP won't to that either. Who is left? Tier1 ISP and some of them do BCP38
filtering sometimes on some ports.

~~~
grahamburger
As someone who has been doing 'shoestring independent ISPs' for almost 15
years my impression is that nearly all upstream providers (the ones we buy
service from - not always but sometimes tier 1 providers) do outgoing IP
filtering. Whenever I get a new IPv4 allocation from ARIN (at least when we
used to be able to do that - they're all gone now) we had to go through a
process with our upstream provider so that they would allow our BGP
advertisements for that block as well as allow those source addresses to route
through their network.

~~~
sathackr
They may filter what routes you can advertise via BGP, but nearly every Tier
1(And most Tier 2) providers will accept traffic sourced from any IP address.
I handle about 10 different connections and can source traffic from any IP on
all of them.

------
chatmasta
Are there any valid technical use-cases for IP spoofing? i.e. setting the
source address of a UDP packet as one outside the originating network?

For example, on the server side, BGP hijacking and anycast routing are enabled
by the same bug or feature, depending how you look at it.

~~~
omribahumi
There’s one reason I could think of. Combining two Internet lines together to
get a faster connection. I blogged about this a few years back

[https://omri.org.il/2014/08/08/hacking-asymmetric-and-
symmet...](https://omri.org.il/2014/08/08/hacking-asymmetric-and-symmetric-
lines-together/)

~~~
sinnet3000
Pretty cool! Are you still doing that??

~~~
omribahumi
Nope. The company was shut down

------
superkuh
>Let's take a deep breath and discuss why such large DDoS attacks are even
possible on the modern internet.

Because all traffic is treated at face value and not deep filtered and
throttled according to some company's whims.

Cloudflare wants to change this. Cloudflare wants centralization. Cloudflare
wants blacklists.

~~~
mehrdadn
Is egress filtering really that egregious?

~~~
r00fus
Does it profit the ISPs to avoid/neglect egress filtering?

Who stands to gain from this and how much are they willing to kickback for
"looking the other way"?

~~~
dpark
Bad/undesired decisions don’t require blatant corruption. This seems a simple
case of poor incentives. If an ISP does egress filtering well, essentially no
one notices. If they screw it up, customers lose connectivity and some portion
of those customers will likely leave for a competitor. There’s risk with no
reward.

~~~
blackflame7000
Couldn't there perhaps be a financial incentive by reducing the amount of
superfluous data on their networks?

~~~
dpark
Apparently not given the lack of action.

I’m not sure DDOS traffic is really significant from an egress standpoint.

------
misterbowfinger
If anyone here has run Spoofer:

[https://www.caida.org/projects/spoofer/](https://www.caida.org/projects/spoofer/)

What was your experience?

~~~
citrin_ru
I've run on a few my hosts - spoofing was filtered.

------
hueving
This is a refreshing change from cloudflare. Back when recursive DNS was the
amplification de jour they complained about DNS instead of IP spoofing.

[https://blog.cloudflare.com/the-ddos-that-knocked-
spamhaus-o...](https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-
offline-and-ho/)

~~~
makomk
This is an odd change from Cloudflare. Were it not for the DDoS amplification
problem it'd be perfectly reasonable to make recursive DNS servers publicly
accessible, but memcached servers should never be exposed to the public
internet - they're not designed to be and doing so allows everyone to
exfiltrate, modify or delete the cached data which you almost certainly don't
want to be possible.

~~~
hueving
Right, exposing a memcached server is bad because memcached isn't meant to be
public. However, in the context of DRDoS discussions it doesn't matter if the
UDP service is good for public exposure. That's completely a distraction from
the underlying IP spoofing disease that enables attacks on all connectionless
protocols.

