automatic rtbh trigger using flow data

Roland Dobbins rdobbins at
Thu Aug 30 23:59:29 UTC 2018

On 31 Aug 2018, at 6:47, Aaron Gould wrote:

> I'm really surprised that you all are doing this based on source ip, 
> simply because I thought the distribution of botnet members around the 
> world we're so extensive that I never really thought it possible to 
> filter based on sources, i

Using S/RTBH to drop attack sources has been a valid and useful 
mitigation tactic for close to 20 years.  Any kind of modern router 
scales up to large numbers of sources; and note that S/RTBH isn't 
limited to /32s.

It's discussed in this .pdf preso:


Roland Dobbins <rdobbins at>

More information about the NANOG mailing list