From matt at lackof.org  Tue Oct 29 18:31:16 2024
From: matt at lackof.org (Matt Taggart)
Date: Tue, 29 Oct 2024 15:31:16 -0700
Subject: [Cerowrt-devel] BCP38 and interesting IP spoofing attack
Message-ID: <09a3fbb7-f2f0-4dc9-9e23-8edd6f7764c7@lackof.org>

Hi CeroWRT!

Sending here because this isn't a bloat thing, but I thought would be 
interesting to those that enjoyed CeroWRT:

   One weird trick to get the whole planet to send abuse complaints
   to your best friend(s)
   https://delroth.net/posts/spoofed-mass-scan-abuse/

A blog post that details an interesting attack that involves the 
attacker injecting spoofed packets in order to damage the reputation of 
target IPs with their ISPs by making it appear they are doing ssh port 
scanning. Links with more technical details are in the post too.

The discussion on HN is interesting as well:
   https://news.ycombinator.com/item?id=41982698

I was reminded of CeroWRT because (IIRC) the bcp38/luci-app-bcp38 
openwrt packages were part of the default image and ever since then I 
have installed them on every openwrt router I have configured (not that 
it makes a difference for the networks I am configuring, but it should 
be the DEFAULT!).

This linked APNIC blog post is interesting too:
 
https://blog.apnic.net/2023/05/03/why-is-source-address-validation-still-a-problem/

-- 
Matt Taggart
matt at lackof.org