Are we really this helpless? (Re: isprime DOS in progress)

Seth Mattinen sethm at rollernet.us
Fri Jan 23 20:05:43 CST 2009


Noel Butler wrote:
> On Sat, 2009-01-24 at 07:21, Chris McDonald wrote:
> 
>> We [AS3491] null0'd the IP earlier.  Rest-of-world encouraged to do the same :/
>>
> 
> 
> 
> Wrong approach, they are *innocent* in this as are the new targets.
> 
> insert into your favourite acl:
> deny udp host 66.230.160.1 neq 53 any eq 53
> deny udp host 66.230.128.15 neq 53 any eq 53
> 
> But it's much less work to add a filter on the name server as others
> have mentioned.
> 
> 


Having the world trying to keep up with ACL entries seems futile. Is 
there really nothing to be done about this? (Yes, I know, BCP38, but 
obviously the accomplice providers don't care.)

~Seth




More information about the NANOG mailing list