Alternic takes over Internic traffic
Dorn Hetzel
dorn at atl.eni.net
Tue Jul 15 21:17:58 UTC 1997
Since we run OSPF internally, we find it easier to do this by
setting up a 2501 (dedicated to the task) with static routes
pointing into a loopback interface which is filtered with an
access list to block all packets. The static routes are
redistributed into OSPF, which caused each static to suck
packets bound from anywhere in our network into the filter,
kill them, and log them. Of course, there is no risk of the
OSPF leaking to the outside world, though it covers our network
nicely, and we get logging of attempted replies to these
sites. Since OSPF is nicely classless, we block anythink from
a /32 up...
-Dorn Hetzel
Epoch Internet
On Tue, Jul 15, 1997 at 04:36:58PM +0100, Alex.Bligh wrote:
> [shock - operational ingredient to DNS issue on NANOG]
>
> I feel that a convenient way to filter out crud that polutes
> your DNS (or any other crud for that matter) might be:
> a) Configure a normally non-BGP speaking router in your IGP to
> run BGP under AS (say) 7778.
> b) Static the routes to all alternic's primary name servers to null0:
> (or better to a non-existent IP on an ethernet interface)
> c) redistribute these statics into BGP through a routemap if necessary.
> d) Set up peering with a router running BGP tagging the routes as
> no-export (make sure you don't distribute them to peers or customers).
>
> (credit to Paul Vixie for the "how to blackhole traffic" for spam
> reasons which I've borrowed here - *PAUL DID NOT RECOMMEND DOING THIS
> FOR DNS TRAFFIC - THIS IS ENTIRELY MY IDEA*).
>
> We're just about to do this. I'll tell you how it goes.
>
> Alex Bligh
> Xara Networks
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 289 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/19970715/354338eb/attachment.sig>
More information about the NANOG
mailing list