nanog mailing list archives
RE: Defeating DoS Attacks Through Accountability
From: John Fraizer <nanog () EnterZone Net>
Date: Sat, 11 Nov 2000 22:33:33 -0500 (EST)
On Sat, 11 Nov 2000, Mark Mentovai wrote:
Barry Raveendran Greene wrote:I'll put it this way: filtering should be done against blocks that a customer can announce, not against blocks that a customer is actively announcing. If you're filtering purely against current advertisements, you're bound to break something sooner or later.Good theory. But what one public source do all the ISP agree to validate the authority to announce?Regional IP address allocating bodies - in other words, ARIN. If you aren't listed as responsible for the block in question, you should either have the information updated (SWIP or rwhois) or obtain written authorization from a representative of the organization controlling the block. It's far from perfect because enthusiasm for providing accurate data via SWIP and rwhois doesn't really exist as it should, but it's probably the best anyone can come up with. Perhaps putting SWIP and rwhois data to a good use such as this would increase awareness of it and cause the databases to become more appropriately populated. Mark
Filtering based on assigned/allocated address space should be the norm, not the exception. If a customer isn't listed in the ARIN database, or whichever RIR has authority for the address space in question, we won't accept announcements from them for that space, period, the end. If the entity who assigned/allocated the address space to them is unwilling to provide up-to-date information via SWIP/RWHOIS, we are very happy to point out to the customer how lazy/stupid/irresponsible that entity is and explain our reasons for not accepting announcements for said address space. We have run into some delays with providers when we obtained new address space and needed to announce it. The prefix-list filters that were in place said "I don't think so!" So, it took 20 mins to get someone with the authority to change the prefix-list on the phone and another 5 minutes for them to change the prefix-list and another 30 seconds for me to type "clear ip bgp NNNN soft out". It's a small price to pay for the peace of mind of knowing that in the event we misconfigure something, we're not going to leak transit routes, default, blah blah blah into the global routing table. --- John Fraizer EnterZone, Inc
Current thread:
- Defeating DoS Attacks Through Accountability Mark Mentovai (Nov 02)
- Re: Defeating DoS Attacks Through Accountability Simon Lyall (Nov 02)
- Re: Defeating DoS Attacks Through Accountability Mark Mentovai (Nov 02)
- Re: Defeating DoS Attacks Through Accountability Mark Prior (Nov 11)
- Re: Defeating DoS Attacks Through Accountability Mark Mentovai (Nov 11)
- RE: Defeating DoS Attacks Through Accountability Barry Raveendran Greene (Nov 11)
- Re: Defeating DoS Attacks Through Accountability Austin Schutz (Nov 11)
- Re: Defeating DoS Attacks Through Accountability bmanning (Nov 11)
- RE: Defeating DoS Attacks Through Accountability Mark Mentovai (Nov 11)
- RE: Defeating DoS Attacks Through Accountability John Fraizer (Nov 11)
- Re: Defeating DoS Attacks Through Accountability Mark Prior (Nov 11)
- Re: Defeating DoS Attacks Through Accountability Valdis . Kletnieks (Nov 11)
- Re: Defeating DoS Attacks Through Accountability Mark Prior (Nov 11)
- Re: Defeating DoS Attacks Through Accountability Simon Lyall (Nov 02)
- Re: Defeating DoS Attacks Through Accountability Mark Prior (Nov 11)
- Re: Defeating DoS Attacks Through Accountability Ariel Biener (Nov 02)
- <Possible follow-ups>
- Re: Defeating DoS Attacks Through Accountability Sean Donelan (Nov 11)
- Re: Defeating DoS Attacks Through Accountability Mark Prior (Nov 11)
- Re: Defeating DoS Attacks Through Accountability Mark Mentovai (Nov 12)
- Re: Defeating DoS Attacks Through Accountability Sean Donelan (Nov 11)