[110942] in North American Network Operators' Group
RE: Are we really this helpless? (Re: isprime DOS in progress)
daemon@ATHENA.MIT.EDU (Frank Bulk)
Fri Jan 23 22:59:20 2009
From: "Frank Bulk" <frnkblk@iname.com>
To: "'Seth Mattinen'" <sethm@rollernet.us>,
<nanog@nanog.org>
In-Reply-To: <497A7777.2060003@rollernet.us>
Date: Fri, 23 Jan 2009 21:58:56 -0600
Errors-To: nanog-bounces@nanog.org
What's interesting in all of this is that ISPrime has been experiencing =
this for most of this week, yet not them or any of us has shared a =
network that is sourcing this traffic.
I know I haven't bothered asking my upstream provider which backbone =
provider is sending them the "ISPrime" traffic, so I'm just as guilty as =
anyone.
Frank
-----Original Message-----
From: Seth Mattinen [mailto:sethm@rollernet.us]=20
Sent: Friday, January 23, 2009 8:06 PM
To: nanog@nanog.org
Subject: Are we really this helpless? (Re: isprime DOS in progress)
Noel Butler wrote:
> On Sat, 2009-01-24 at 07:21, Chris McDonald wrote:
>
>> We [AS3491] null0'd the IP earlier. Rest-of-world encouraged to do =
the same :/
>
> Wrong approach, they are *innocent* in this as are the new targets.
>
> insert into your favourite acl:
> deny udp host 66.230.160.1 neq 53 any eq 53
> deny udp host 66.230.128.15 neq 53 any eq 53
>
> But it's much less work to add a filter on the name server as others
> have mentioned.
Having the world trying to keep up with ACL entries seems futile. Is
there really nothing to be done about this? (Yes, I know, BCP38, but
obviously the accomplice providers don't care.)
~Seth
