From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from full.lackof.org (full.lackof.org [204.13.164.203]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 32E5F3B2A4 for ; Tue, 29 Oct 2024 18:31:20 -0400 (EDT) Received: from [172.16.1.5] (97-113-66-198.tukw.qwest.net [97.113.66.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by full.lackof.org (Postfix) with ESMTPSA id 4XdQCL1j2jzyV3; Tue, 29 Oct 2024 22:38:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lackof.org; s=2023; t=1730241518; bh=3giQBhAusC2zovRQgq7MB7t41cdfJdkXEWjaaVIFZxM=; h=Date:To:From:Subject:From; b=Pg/M5jfhL+GTAWMBGim0zinHgeRr4R+7uxZ2hoAsEluxxOi4wPwuBHELua0sgVJth 6Tj0OdKZIZCqG5Q8aoOcYpeFEYEBQ7Bg1npQNju9X1/b/JPkAJbXwi2dlX1bGATtSp F0KsZ+Oc3srBABisd7EpCVsDwKjZvxzTtmWKdWfFOUgoSZ3ldQmCxhcGoTRAaO5WsR +2sTipPMyRrcJtEVQ/4zP58bZFIFPdNsjDVTj9GIE60C+wTDSpUs2jSoJguqVtAilQ t6W75I9YynuzoeBEsoqwNolNCeBfyQt0VAUzdQGKLZIJswXdsMKfd6aadvjCyH3bPw wtjmkJaTjzhCQ== Message-ID: <09a3fbb7-f2f0-4dc9-9e23-8edd6f7764c7@lackof.org> Date: Tue, 29 Oct 2024 15:31:16 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: cerowrt-devel Content-Language: en-US From: Matt Taggart Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: [Cerowrt-devel] BCP38 and interesting IP spoofing attack X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Oct 2024 22:31:20 -0000 Hi CeroWRT! Sending here because this isn't a bloat thing, but I thought would be interesting to those that enjoyed CeroWRT: One weird trick to get the whole planet to send abuse complaints to your best friend(s) https://delroth.net/posts/spoofed-mass-scan-abuse/ A blog post that details an interesting attack that involves the attacker injecting spoofed packets in order to damage the reputation of target IPs with their ISPs by making it appear they are doing ssh port scanning. Links with more technical details are in the post too. The discussion on HN is interesting as well: https://news.ycombinator.com/item?id=41982698 I was reminded of CeroWRT because (IIRC) the bcp38/luci-app-bcp38 openwrt packages were part of the default image and ever since then I have installed them on every openwrt router I have configured (not that it makes a difference for the networks I am configuring, but it should be the DEFAULT!). This linked APNIC blog post is interesting too: https://blog.apnic.net/2023/05/03/why-is-source-address-validation-still-a-problem/ -- Matt Taggart matt@lackof.org