Todd Underwood was a little late
Jon Lewis
jlewis at lewis.org
Thu Jun 17 02:43:11 UTC 2010
On Thu, 17 Jun 2010, Mark Andrews wrote:
> Why was this traffic hitting your DNS server in the first place? It should
> have been rejected by the ingress filters preventing spoofing of the local
> network.
When I ran a smaller simpler network, I did have input filters on our
transit providers rejecting packets from our IP space. With a larger
network, multiple IP blocks, numerous multihomed customers, some of which
use IP's we've assigned them, it gets a little more complicated to do.
I could reject at our border, packets sourced from our IP ranges with
exceptions for any of the IP blocks we've assigned to multihomed
customers. The ACLs wouldn't be that long, or that hard to maintain. Is
this common practice?
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the NANOG
mailing list