• Anti-spoofing ACL(blocking not routed source address space - but requires too micro-management)
  • uRPF (Unicast Reverse Path Forwarding - preferred solution): while inspecting each source address embedded in the packets, it denies the ones not coming from a routed network across the inbound interface. These and others preventive techniques are listed in the MANRS manifesto, along with the involved ISP participating in the campaign. While these policies could solve this global issue, any non right-behaving ISP could act as a catalyst for the spoofed traffic by generating many tunneled sessions (GRE, L2TP, ToR etc.) in near future scenario, where CPE and IoT devices could be more and more compromised, and thus bypassing ISP edge network control (see Mirai botnet)