Todd Underwood was a little late

• Previous message (by thread): Todd Underwood was a little late
• Next message (by thread): Todd Underwood was a little late
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/16/2010 7:43 PM, Jon Lewis wrote:
> On Thu, 17 Jun 2010, Mark Andrews wrote:
>
>> Why was this traffic hitting your DNS server in the first place?  It 
>> should
>> have been rejected by the ingress filters preventing spoofing of the 
>> local
>> network.
>
> When I ran a smaller simpler network, I did have input filters on our 
> transit providers rejecting packets from our IP space.  With a larger 
> network, multiple IP blocks, numerous multihomed customers, some of 
> which use IP's we've assigned them, it gets a little more complicated 
> to do.
>
> I could reject at our border, packets sourced from our IP ranges with 
> exceptions for any of the IP blocks we've assigned to multihomed 
> customers.  The ACLs wouldn't be that long, or that hard to maintain.  
> Is this common practice?
>
> -

Sounds like a good use of URPF.

• Previous message (by thread): Todd Underwood was a little late
• Next message (by thread): Todd Underwood was a little late
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]