BGP prefix filter list

Seth Mattinen sethm at
Tue May 21 00:57:31 UTC 2019

On 5/20/19 4:26 PM, John Kristoff wrote:
> On Mon, 20 May 2019 23:09:02 +0000
> Seth Mattinen<sethm at>  wrote:
>> A good start would be killing any /24 announcement where a covering
>> aggregate exists.
> I wouldn't do this as a general rule.  If an attacker knows networks are
> 1) not pointing default, 2) dropping /24's, 3) not validating the
> aggregates, and 4) no actual legitimate aggregate exists, (all
> reasonable assumptions so far for many /24's), then they have a pretty
> good opportunity to capture that traffic.

I'm talking about the case where someone has like a /20 and announces 
the /20 plus every /24 it contains. I regard those as garbage announcements.

More information about the NANOG mailing list