More on black-holed reserved/8 block.

[Valdis.Kletnieks () vt edu]

As one person explained to me, often miscreants broadcast a bogus route
so they can launch an attack from a 'reserved' space.

What I was probably not clear enough in my original question was why the
person at bungi.com was even TRYING to traceroute to a 98/ address.  Was
it something that showed up in a access log as an failed attempt, or?

Is it the case that above.net is black-holing packets with a *destination*
in the RBL, but *not* filtering packets with a *source* address from
the RBL?  If so, this would still allow RPC-based attacks (and TCP as well,
if the victim's box had bad sequence number prediction).

What are other sites that use the RBL BGP feed doing in this case?

(And yes, I understand that many routers can route to a blackhole destination
a lot faster than they can apply an ACL on the source).

-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

traceroute to 98.100.32.32 (98.100.32.32): 1-30 hops, 38 byte packets
 1  main.bungi.com (207.126.97.9)  2.15 ms  1.73 ms  1.86 ms
 2  above-gw2.above.net (207.126.96.217)  4.41 ms  4.88 ms  3.67 ms
 3  core5-main2-oc3.sjc.above.net (216.200.0.205)  3.62 ms  4.56 ms
7.53 ms
 4  core3-core5-oc48.sjc2.above.net (208.184.102.206)  6.34 ms  5.7 ms
5.3 ms
 5  iad-sjc2-oc48.iad.above.net (216.200.127.25)  73.0 ms  79.7 ms  72.6
ms
 6
hat.address.is.on.the.rbl.see.www.mail-abuse.org.for.more.information.above.net

Attachment: _bin
Description: