Filtering Best Practices, et al (Was Verio Peering, Gordon's Knot)
E.B. Dreger
eddy+public+spam at noc.everquick.net
Tue Oct 9 16:00:40 UTC 2001
> Date: Tue, 09 Oct 2001 07:58:19 -0700
> From: Grant A. Kirkwood <grant at virtical.net>
> I'm currently in the process of setting up a new border router,
> and the recent debate on the above topic got me wondering what
> the best practice filtering policy is? Is there one?
> And what do people put in place in terms of anti-spoofing ACLs
> and such? There's a wealth of information on these topics, but
> no real consensus.
+ If you're running BGP, filter your as-paths and netblocks to
avoid any unwanted redistribution. This is always a bad thing,
and long as-paths don't necessarily rule out a path being
taken; remember that local-pref overrides as-path length.
If it's an edge router, you needn't worry too much about prefix
length -- they're already filtered for you.
+ You want to prevent forged outbound packets. They have no
valid[1] use, and forged packets make tracing DoS attacks a
pain.
[1] I recall hearing that some satellite downlink Web service
required the ability to send packets from their netblock.
However, you can selectively allow these, as you would you own
netblock.
+ Disallow 10/8, 172.16/12, and 192.168/16 -- no need for them to
go anywhere.
Eddy
---------------------------------------------------------------------------
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
---------------------------------------------------------------------------
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist at brics.com>
To: blacklist at brics.com
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots. Do NOT
send mail to <blacklist at brics.com>, or you are likely to be blocked.
More information about the NANOG
mailing list