nanog mailing list archives
Re: UUNet Offer New Protection Against DDoS
From: Patrick W.Gilmore <patrick () ianai net>
Date: Wed, 3 Mar 2004 17:40:29 -0500
On Mar 3, 2004, at 5:22 PM, Stephen J. Wilcox wrote:
I'm puzzled by one aspect on the implementation.. how to build your customerprefix filters.. that is, we have prefix-lists for prefix and length.Therefore at present we can only accept a tagged route for a whole block..not good if the announcement is a /16 etc !MCI handles this by only filtering on prefix, not length. Well, allowing you to only announce up to your length, not shorter, but longer is allowed.Hmm not keen, have moved acl->prefix w/len to stop folks from doing this, in addition we have an extra filter which overrides anything that would deny anything longer than a /24. I'm not keen to change that.. LART appears to have little or no effect with my customers, preemption appears to be the only way!
What's wrong with letting customers announce /32s into your network, as long as you do not pass it to anyone else (including other customers)?
Here is what I did (when I had a network =) : * Prefix filter customers in, allowing more specifics * Filter > /24s & Bogons out to customers * Bogon & /24 filter peers in * Bogon, /24, and cust-only community filter peers outTheoretically, the Bogon out filters are irrelevant, since your table should be clean from the inbound filters, but I like "belt and suspenders". (Plus one day I leaked a slew of 10-net from a NOC test LAN and hit one of the Merit instability mailing lists. Burned once, twice shy. :)
-- TTFN, patrick
Current thread:
- Re: UUNet Offer New Protection Against DDoS, (continued)
- Re: UUNet Offer New Protection Against DDoS Danny McPherson (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Rob Thomas (Mar 03)
- RE: UUNet Offer New Protection Against DDoS Douglas.Dever (Mar 03)
- RE: UUNet Offer New Protection Against DDoS Terranson, Alif (Mar 03)
- RE: UUNet Offer New Protection Against DDoS Lumenello, Jason (Mar 03)
- Re: UUNet Offer New Protection Against DDoS james (Mar 03)
- RE: UUNet Offer New Protection Against DDoS Michael Hallgren (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Stephen J. Wilcox (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Patrick W . Gilmore (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Stephen J. Wilcox (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Patrick W . Gilmore (Mar 03)
- Re: UUNet Offer New Protection Against DDoS David Barak (Mar 03)
- Re: UUNet Offer New Protection Against DDoS James (Mar 04)
- Re: UUNet Offer New Protection Against DDoS james (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Mark Kasten (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Deepak Jain (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Randy Bush (Mar 03)
- Message not available
- Re: UUNet Offer New Protection Against DDoS Suresh Ramasubramanian (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Paul (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Steve Francis (Mar 05)