Re: Todd Underwood was a little late

[Mark Andrews <marka () isc org>]

In message <Pine.LNX.4.61.1006162237180.5148 () soloth lewis org>, Jon Lewis write
s:
> On Thu, 17 Jun 2010, Mark Andrews wrote:
>
> > Why was this traffic hitting your DNS server in the first place?  It should
> > have been rejected by the ingress filters preventing spoofing of the local
> > network.
>
> When I ran a smaller simpler network, I did have input filters on our 
> transit providers rejecting packets from our IP space.  With a larger 
> network, multiple IP blocks, numerous multihomed customers, some of which 
> use IP's we've assigned them, it gets a little more complicated to do.

One can never do a perfect job but one can stop a large percentage
of the crap.  You should know the multi-homed customers and their
address ranges so they become exceptions.  You also run filters on
internal routers.  There are internal ingress/egress points as well
as interconnects.

> I could reject at our border, packets sourced from our IP ranges with 
> exceptions for any of the IP blocks we've assigned to multihomed 
> customers.  The ACLs wouldn't be that long, or that hard to maintain.  Is 
> this common practice?
>
> ----------------------------------------------------------------------
>   Jon Lewis                   |  I route
>   Senior Network Engineer     |  therefore you are
>   Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org