Todd Underwood was a little late

Mark Andrews marka at
Thu Jun 17 03:27:09 UTC 2010

In message <Pine.LNX.4.61.1006162237180.5148 at>, Jon Lewis write
> On Thu, 17 Jun 2010, Mark Andrews wrote:
> > Why was this traffic hitting your DNS server in the first place?  It should
> > have been rejected by the ingress filters preventing spoofing of the local
> > network.
> When I ran a smaller simpler network, I did have input filters on our 
> transit providers rejecting packets from our IP space.  With a larger 
> network, multiple IP blocks, numerous multihomed customers, some of which 
> use IP's we've assigned them, it gets a little more complicated to do.

One can never do a perfect job but one can stop a large percentage
of the crap.  You should know the multi-homed customers and their
address ranges so they become exceptions.  You also run filters on
internal routers.  There are internal ingress/egress points as well
as interconnects.

> I could reject at our border, packets sourced from our IP ranges with 
> exceptions for any of the IP blocks we've assigned to multihomed 
> customers.  The ACLs wouldn't be that long, or that hard to maintain.  Is 
> this common practice?
> ----------------------------------------------------------------------
>   Jon Lewis                   |  I route
>   Senior Network Engineer     |  therefore you are
>   Atlantic Net                |
> _________ for PGP public key_________
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the NANOG mailing list