BGP prefix filter list

John Kristoff jtk at
Mon May 20 23:26:48 UTC 2019

On Mon, 20 May 2019 23:09:02 +0000
Seth Mattinen <sethm at> wrote:

> A good start would be killing any /24 announcement where a covering 
> aggregate exists.

I wouldn't do this as a general rule.  If an attacker knows networks are
1) not pointing default, 2) dropping /24's, 3) not validating the
aggregates, and 4) no actual legitimate aggregate exists, (all
reasonable assumptions so far for many /24's), then they have a pretty
good opportunity to capture that traffic.


More information about the NANOG mailing list