BGP route filtering. You want it.
tkapela at gmail.com
Mon Aug 11 15:47:34 CDT 2008
[Apologies in advance for operational content. I Don't mean to distract
readers from the usual flamewars about rfc1918, bogon filtering, and
some of our favorite posters - gadi and n3td3v.]
I'd like to give a heads-up to the NANOG community regarding the talk
we recently gave at DEFCON.
The slides can be found here: http://eng.5ninesdata.com/~tkapela/iphd-2.ppt
In a nutshell, we demonstrated that current lack of secure filtering
infrastructure not only permits DoS-like attacks, but also full
"traffic monitoring" of arbitrary prefixes from essentially anywhere
in the world.
None of this should come as surprise to the NANOG and
operationally-aware crowd - this has been discussed extensively
previously before on-list, and extensively at conferences. Additional
novelty presented is the returning of traffic back to victim network
over Internet (creative as-path prepends & loop detection) and
obscuring the 'additional hops' this sort of thing creates with
Suggested additional reading below:
More information about the NANOG