On 9/6/2014 4:48 PM, Brian E Carpenter wrote:
The Spark DNS servers do not appear to be open, so the attack can only be coming from their own customers. Therefore, can someone comment on whether Spark has BCP38 in place, since ingress filtering is the main defence against such attacks?
A number of popular BNG platforms implement subscriber anti-spoofing by default; so it wouldn't surprise me if it was enabled for Spark as well. Even with BCP38 facing their own subscribers, it doesn't help protect against traffic being generated by their CPE - traffic which could be triggered by spoofed ingress traffic on the edge of the network caused by *other* operators not running BCP38 towards their subscribers; or caused by other mechanisms to trigger the traffic from the CPE.