nanog mailing list archives
blocking unallocated subnets
From: "John S. Bucy" <bucy () gloop org>
Date: Fri, 2 Dec 2005 14:45:52 -0500
I work for a large email provider and we've run into trouble delivering mail to certain sites after bringing up new servers in a recently allocated subnet of 72/8. Apparently, some folks decided it would be a good policy to protect their nameservers from ddos attacks to silently drop requests from unallocated subnets. So they obtained a list of subnets at some point in the past, deployed it and then never updated it. This manifests itsself in our system when the dns query repeatedly times out on the smtp servers in that subnet while it works from elsewhere. In the instances we've run into this, it only seemed to affect dns and not, say, smtp connections. I just wanted to try to raise some awareness of this practice and the trouble it may cause if the ruleset gets out-of-date. This caused us a pretty major headache the result of which is that we've given up for now on trying to deliver mail out of that subnet. john
Current thread:
- blocking unallocated subnets John S. Bucy (Dec 02)
- Re: blocking unallocated subnets Jon Lewis (Dec 02)
- Re: blocking unallocated subnets Rob Thomas (Dec 02)
- Re: blocking unallocated subnets Randy Bush (Dec 02)
- Re: blocking unallocated subnets Rob Thomas (Dec 02)
- Re: blocking unallocated subnets Noel (Dec 02)
- Message not available
- Re: [NANOG] blocking unallocated subnets Randy Bush (Dec 03)
- Re: blocking unallocated subnets Randy Bush (Dec 02)