aggregation & table entries

Iljitsch van Beijnum iljitsch at
Thu Oct 14 21:21:40 UTC 2004

On 14-okt-04, at 22:27, Daniel Roesen wrote:

>>> And what do you do with a BGP customer which sends you traffic from
>>> prefixes he doesn't want to announce to you? There are such 
>>> customers.

>> The whole point of BCP38 is that this isn't supposed to happen.

> Unfortunately we are living in reality.

Tell that to the customers with the unrealistic wishes.

>> Yes, these restrictions are a huge pain in the rear end but a denial 
>> of
>> service without even the possibility to tell where the packets come
>> from is MUCH worse.

> What you actually want to know is what the ingress interfaces for the
> flows are.

For me, this has never been a big problem. (Not saying it isn't for 
anyone else.)

> And if the ingress interface is not a p2p interface, from
> which peer.

Sure, that helps, but it doesn't shut up the packets. With real 
addresses you can build filters and/or contact the source. Yes, both 
are hard to do. But with spoofed sources there is pretty much nothing 
you can do except hope that your transit choices were good ones and 
they'll investigate.

> Given that most DDoSses are mounted via huge zombie collections, there
> is not much point in knowing the real source IPs.

If the bottleneck isn't your ingress it is possible to filter tens of 
thousands of real sources. If the sources are fake you need to do much 
more destructive filtering.

More information about the NANOG mailing list