Todd Underwood was a little late
Mark Andrews
marka at isc.org
Thu Jun 17 03:27:09 UTC 2010
In message <Pine.LNX.4.61.1006162237180.5148 at soloth.lewis.org>, Jon Lewis write
s:
> On Thu, 17 Jun 2010, Mark Andrews wrote:
>
> > Why was this traffic hitting your DNS server in the first place? It should
> > have been rejected by the ingress filters preventing spoofing of the local
> > network.
>
> When I ran a smaller simpler network, I did have input filters on our
> transit providers rejecting packets from our IP space. With a larger
> network, multiple IP blocks, numerous multihomed customers, some of which
> use IP's we've assigned them, it gets a little more complicated to do.
One can never do a perfect job but one can stop a large percentage
of the crap. You should know the multi-homed customers and their
address ranges so they become exceptions. You also run filters on
internal routers. There are internal ingress/egress points as well
as interconnects.
> I could reject at our border, packets sourced from our IP ranges with
> exceptions for any of the IP blocks we've assigned to multihomed
> customers. The ACLs wouldn't be that long, or that hard to maintain. Is
> this common practice?
>
> ----------------------------------------------------------------------
> Jon Lewis | I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list