BGP hijack from 23724 -> 4134 China?

Suresh Ramasubramanian ops.lists at gmail.com
Fri Apr 9 01:28:02 CDT 2010


It depends.  Preventing packet flow from a rather more carefully
selected list of prefixes may actually make sense.

These for example - www.spamhaus.org/drop/

Filtering prefixes that your customers may actually exchange valid
email / traffic with, and that are not 100% bad is not the best way to
go.

Block specific prefixes from China, the USA, Eastern Europe, wherever
- that are a specific threat to your network .. great.   Even better
if you are able to manage that blocking and avoid turning your router
ACLs into a sort of Hotel California for prefixes.

On Fri, Apr 9, 2010 at 11:52 AM, Daniel Karrenberg
<daniel.karrenberg at ripe.net> wrote:
>
>
> **** Selectively preventing packet flow is *not* a security measure.
>
> **** Selectively preventing packet flow leads to unexpected and hard to diagnose breakage.
>
> **** Many independent actors selectively preventing packet flow will eventually
>     partition the Internet sufficiently to break it beyond recognition.



-- 
Suresh Ramasubramanian (ops.lists at gmail.com)




More information about the NANOG mailing list