[125122] in North American Network Operators' Group
Re: BGP hijack from 23724 -> 4134 China?
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Fri Apr 9 02:28:31 2010
In-Reply-To: <20100409062237.GD1087@reif.karrenberg.net>
Date: Fri, 9 Apr 2010 11:58:02 +0530
From: Suresh Ramasubramanian <ops.lists@gmail.com>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
It depends. Preventing packet flow from a rather more carefully
selected list of prefixes may actually make sense.
These for example - www.spamhaus.org/drop/
Filtering prefixes that your customers may actually exchange valid
email / traffic with, and that are not 100% bad is not the best way to
go.
Block specific prefixes from China, the USA, Eastern Europe, wherever
- that are a specific threat to your network .. great. Even better
if you are able to manage that blocking and avoid turning your router
ACLs into a sort of Hotel California for prefixes.
On Fri, Apr 9, 2010 at 11:52 AM, Daniel Karrenberg
<daniel.karrenberg@ripe.net> wrote:
>
>
> **** Selectively preventing packet flow is *not* a security measure.
>
> **** Selectively preventing packet flow leads to unexpected and hard to d=
iagnose breakage.
>
> **** Many independent actors selectively preventing packet flow will even=
tually
> =C2=A0 =C2=A0 partition the Internet sufficiently to break it beyond reco=
gnition.
--=20
Suresh Ramasubramanian (ops.lists@gmail.com)
