Skip to main content

Anti-Spoofing: M5 (Action 2)

The Anti-Spoofing score (metric M5) is built entirely from CAIDA Spoofer test results. The Observatory cannot see your filters directly. It only sees whether spoofed packets escaped your network during a test.

warning

No tests run from your network during a month means no score (-) for that month. You must run tests regularly, at least monthly, to maintain a score.

How the score works

Test results during the monthScore
No tests observed- (no data)
Tests ran, no spoofed packets received100%
Spoofed packets received from 1 prefix~49%
Spoofed packets received from 2 prefixes~36%

Each unique prefix that successfully sent spoofed traffic counts against you. The very common 49% score means exactly one prefix leaked spoofed packets during a test that month.

The percentages aren't flat penalties: the count of affected prefixes (the "raw" penalty) is mapped through an exponential decay curve calibrated so a raw penalty of 0.5 scores 60%. One affected prefix (raw 1) works out to ≈49%, two (raw 2) to ≈36%, and each additional spoofed prefix lowers the score further.

How to run a valid test

  1. Download the Spoofer client from spoofer.caida.org.
  2. Run it from a host inside your infrastructure, not behind NAT. NAT rewrites source addresses and invalidates the test.
  3. Test both IPv4 and IPv6 if you operate both.
  4. Enable "Allow anonymized test results to be shared publicly". Without this, MANRS cannot see your results and your score stays at no-data.
  5. Run tests from at least two different network segments.
  6. Repeat monthly. Scores reset each calendar month.

Check your recent public results at:

https://spoofer.caida.org/recent_tests.php?as_include=<your ASN>

My test failed, now what?

A "received" result means spoofed packets escaped from that prefix. To fix:

  1. Identify the failing prefix/segment in the test report.
  2. Apply source address validation there (uRPF strict mode, or ACLs at the customer/edge boundary, see BCP 38).
  3. Re-run the test from the same prefix to confirm.

A failed test counts against the whole month it ran in, so the score recovers once the calendar month rolls over with clean tests.