[127186] in North American Network Operators' Group
Re: Todd Underwood was a little late
daemon@ATHENA.MIT.EDU (Roy)
Thu Jun 17 00:39:19 2010
Date: Wed, 16 Jun 2010 21:38:42 -0700
From: Roy <r.engehausen@gmail.com>
CC: nanog@nanog.org
In-Reply-To: <Pine.LNX.4.61.1006162237180.5148@soloth.lewis.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 6/16/2010 7:43 PM, Jon Lewis wrote:
> On Thu, 17 Jun 2010, Mark Andrews wrote:
>
>> Why was this traffic hitting your DNS server in the first place? It
>> should
>> have been rejected by the ingress filters preventing spoofing of the
>> local
>> network.
>
> When I ran a smaller simpler network, I did have input filters on our
> transit providers rejecting packets from our IP space. With a larger
> network, multiple IP blocks, numerous multihomed customers, some of
> which use IP's we've assigned them, it gets a little more complicated
> to do.
>
> I could reject at our border, packets sourced from our IP ranges with
> exceptions for any of the IP blocks we've assigned to multihomed
> customers. The ACLs wouldn't be that long, or that hard to maintain.
> Is this common practice?
>
> -
Sounds like a good use of URPF.
