nanog mailing list archives
Re: BCP38/84 and DDoS ACLs
From: joel jaeggli <joelja () bogus com>
Date: Fri, 26 May 2017 17:44:18 -0700
On 5/26/17 10:24, Kody Vicknair wrote:
When I was doing some research in regards to the same subject I ran across this doc. I've found it to be very helpful. http://nabcop.org/index.php/DDoS-DoS-attack-BCOP
Causally applied RPF checks applied to transit and peer interfaces especially exchange fabrics have a very high-liklihood of blackholing traffic you wanted particularly during maintenance if not casually implemented. A very careful read rfc3704/bcp 84 is a necessary part of implementing bcp 38 filters.
Kody Vicknair Network Engineer Tel: 985.536.1214 Fax: 985.536.0300 Email: kvicknair () reservetele com Reserve Telecommunications 100 RTC Dr Reserve, LA 70084 _________________________________________________________________________________________________ Disclaimer: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material which should not disseminate, distribute or be copied. Please notify Kody Vicknair immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Kody Vicknair therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. . -----Original Message----- From: NANOG [mailto:nanog-bounces+kvicknair=reservetele.com () nanog org] On Behalf Of Roland Dobbins Sent: Friday, May 26, 2017 12:20 PM To: nanog () nanog org Subject: Re: BCP38/84 and DDoS ACLs On 26 May 2017, at 22:39, Graham Johnston wrote:I am looking for information regarding standard ACLs that operators may be using at the internet edge of their network, on peering and transit connections,These .pdf presos may be of interest: <https://app.box.com/s/ko8lk4vlh1835p36na3u> <https://app.box.com/s/xznjloitly2apixr5xge> They talk about iACL and tACL design philosophy. What traffic you should permit/deny on your network is, of course, situationally-specific. Depends on what kind of network it is, what servers/services/applications/users you have, et. al. You may need one set of ACLs at the peering/transit edge, and other, more specific ACLs, at the IDC distribution gateway, customer aggregation gateway, et. al. ----------------------------------- Roland Dobbins <rdobbins () arbor net>
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- BCP38/84 and DDoS ACLs Graham Johnston (May 26)
- Re: BCP38/84 and DDoS ACLs Compton, Rich A (May 26)
- Re: BCP38/84 and DDoS ACLs Dave Bell (May 27)
- Re: BCP38/84 and DDoS ACLs Rabbi Rob Thomas (May 29)
- Re: BCP38/84 and DDoS ACLs Dave Bell (May 27)
- Re: BCP38/84 and DDoS ACLs Roland Dobbins (May 26)
- RE: BCP38/84 and DDoS ACLs Kody Vicknair (May 26)
- Re: BCP38/84 and DDoS ACLs joel jaeggli (May 26)
- Re: BCP38/84 and DDoS ACLs valdis . kletnieks (May 26)
- Re: BCP38/84 and DDoS ACLs Roland Dobbins (May 26)
- Re: BCP38/84 and DDoS ACLs Roland Dobbins (May 26)
- Re: BCP38/84 and DDoS ACLs Randy Bush (May 26)
- RE: BCP38/84 and DDoS ACLs Kody Vicknair (May 26)
- Re: BCP38/84 and DDoS ACLs Compton, Rich A (May 26)