Dyn DDoS this AM?

marcel.duregards at yahoo.fr marcel.duregards at yahoo.fr
Sat Oct 22 15:40:22 UTC 2016


Patrick,

We are client of 3 tier1. On our netflow collector, we can observe that
RFC1918 sources ip traffic is entering our AS via 2 of those tier-1.
Yes, 2 bigs tier-1 allow private ip traffic coming from their networks,
clients, peerings to reach others customers, via Internet link, on
public ip.....Of course this traffic is dropped on our BGP borders as we
are filtering. But it's still filling the pipe, and this is still
INVALID/UNNAUTHORIZED traffic.

We wrote to them to verify if customers are technically allowed to send
RFC1918 traffic over their backbone, and if we are also allowed to do
so. And the answer was really evasive like :"contractually you're are
not allowed".

So now tell me WTF BCP38 will provide you when tier1 does not care at
all and does not maintain basic filtering to/from their customers.
And then they try to sell you their anti ddos services, because you know
DDOS it sucks. Big joke.

What about BCP38+84 on 30 tier-1 instead of asking/hoping 55k others
autonomous-system having good filters in place ?

--
Marcel

On 21.10.2016 17:48, Patrick W. Gilmore wrote:
> To the rest of the community:
> If you can help, please do. I know a lot of you are thinking “what can I do?" There is a lot you can do. BCP38 & BCP84 instantly come to mind. Sure, that doesn’t help Mirai, but it still helps. There are many other things you can do as well.


More information about the NANOG mailing list