BGP route filtering. You want it.

Anton Kapela tkapela at
Mon Aug 11 15:47:34 CDT 2008


[Apologies in advance for operational content. I Don't mean to distract
readers from the usual flamewars about rfc1918, bogon filtering, and
some of our favorite posters - gadi and n3td3v.]

I'd like to give a heads-up to the NANOG community regarding the talk
we recently gave at DEFCON.

The slides can be found here:

In a nutshell, we demonstrated that current lack of secure filtering
infrastructure not only permits DoS-like attacks, but also full
"traffic monitoring" of arbitrary prefixes from essentially anywhere
in the world.

None of this should come as surprise to the NANOG and
operationally-aware crowd - this has been discussed extensively
previously before on-list, and extensively at conferences. Additional
novelty presented is the returning of traffic back to victim network
over Internet (creative as-path prepends & loop detection) and
obscuring the 'additional hops' this sort of thing creates with
additive ttl.

Suggested additional reading below:


More information about the NANOG mailing list