netsec-sig - Re: [Security-WG] Spoof/RPF Numbers

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Spoof/RPF Numbers

From: "Garrett, Seth B" <>
To: "" <>
Subject: Re: [Security-WG] Spoof/RPF Numbers
Date: Wed, 23 May 2018 17:19:59 +0000
Accept-language: en-US
Ironport-phdr: 9a23:IJE/mBWqjeog6AwskGiYkKi3NvbV8LGtZVwlr6E/grcLSJyIuqrYbBaGt8tkgFKBZ4jH8fUM07OQ7/i7HzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba98IRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KptVRTmijoINyQh/W/XlMJ+kb5brhyiqRxxwYHUYZ2aO/Vlc6zHYd8XX3BMUtpNWyBcBI63cosBD/AGPeZdt4TxqVoAogGkBQm2Guzv1iNIimfr1qMnzeshDQHG1xE9Et4ArX/Zq871O7wdUe+v1qnI1yvMb+9N1Df89YjEaA4uruyRXb9pd8fa1EohFxvdg1mNt4DoOymZ2+YJvmSB8uZsT/+jhmoopg1pvzSix9kghpPXio4Ly13I7yp0zJovKdGmR0N3edCkH4VTui2GMoZ7R8wvTH12tCs7z7ALuYC3czMExZkiyR7SZfOKfJKN7x/nWuadPTV1iXR4c7ylnRmy61KvyujkW8m0zllKqi1Fn8HMtn8XzRzT9s2HReF7/ku7xDaP1hzT6vpeLUA1k6rUNp8hzaQ2lpUJq0jMADL5mFjugK+XcEUr5PSo5vz6brn4opKQLY15hwXkPqgzgMCzHOA1PwcWU2ie4+u81bnj/UPjQLVNi/07irLZv4vVJcsBvK65GRFa0po45ha+EjeqysoXkmQaLF5dYhKIk5DpO03SIPD/Ffq/mEqjnyt2x/DcP73hHpXMImHNkbfuZrt9709cyBEvzdBE+Z5YELABIPTvWkDvrtzYCAE2MxCqz+r9Ftpyy54eCiqzBfrTK67ZrEWJ+vNqPOakZYkJtSz7JuR/ofPikDVxzUQQdrSz3IcGLW+3NvVgP0iDZ3fw2JEMHXpc7SQkS+m/wnKLSyRee2r2F5kx+jFzIsjuWZzJSYm3mrGd9CamWJBaezYVWRi3DX70etDcCL83YyWIL5o5nw==

We're averaging about 36,826 spoofed packets a day since Global Summit at our main Bloomington campus. These would packets being sent to IU with our own IP as the source. Its fairly consistent.

23,035,796 packets have been source RPF drops as a security response (RTBH Null routing + RPF).

Thanks,

Seth Garrett
Principal Network Systems Engineer
Indiana University

From: <> on behalf of Paul Howell <>
Sent: Friday, May 11, 2018 6:55 AM
To:
Subject: Re: [Security-WG] Spoof/RPF Numbers

Hi Seth,

Thanks for the numbers. Does the rate of drops/blocks happen more or less consistently 24x7, or do you notice patterns?

Regards,

Paul

From: <> on behalf of "Garrett, Seth B" <>
Reply-To: "" <>
Date: Thursday, May 10, 2018 at 3:06 PM
To: "" <>
Subject: [Security-WG] Spoof/RPF Numbers

Some numbers I volunteered to get during the Internet2 Global Summit Security Working Group lunch.

1. How often are Indiana University IPs spoofed to IU from external sources:

o Over a 10 minute period we drop approximately 700 packets that have our own IP space spoofed as a source.

2. Internet facing RPF drops as a security response:

o This is our RTBH system combined with RPF to source block external offenders that are null routed

o Over a 10 minute period it blocked 1,550,000 packets

Seth Garrett
Principal Network Systems Engineer
Indiana University

[Security-WG] Spoof/RPF Numbers, Garrett, Seth B, 05/10/2018
- <Possible follow-up(s)>
- Re: [Security-WG] Spoof/RPF Numbers, Paul Howell, 05/11/2018
  - Re: [Security-WG] Spoof/RPF Numbers, Garrett, Seth B, 05/23/2018

List archive

Re: [Security-WG] Spoof/RPF Numbers