Todd Underwood was a little late

Jon Lewis jlewis at
Thu Jun 17 02:43:11 UTC 2010

On Thu, 17 Jun 2010, Mark Andrews wrote:

> Why was this traffic hitting your DNS server in the first place?  It should
> have been rejected by the ingress filters preventing spoofing of the local
> network.

When I ran a smaller simpler network, I did have input filters on our 
transit providers rejecting packets from our IP space.  With a larger 
network, multiple IP blocks, numerous multihomed customers, some of which 
use IP's we've assigned them, it gets a little more complicated to do.

I could reject at our border, packets sourced from our IP ranges with 
exceptions for any of the IP blocks we've assigned to multihomed 
customers.  The ACLs wouldn't be that long, or that hard to maintain.  Is 
this common practice?

  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ for PGP public key_________

More information about the NANOG mailing list