[161701] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Mar 25 16:37:09 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <51507CCA.60901@pubnix.net>
Date: Mon, 25 Mar 2013 16:36:48 -0400
To: ahebert@pubnix.net
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 25, 2013, at 12:35 PM, Alain Hebert <ahebert@pubnix.net> wrote:
> Well,
>=20
> Why would you only go after them?
>=20
> Easier target to mitigate the problem?
>=20
> That might be just me, but I find those peers allowing their
> customers to spoof source IP addresses more at fault.
>=20
> PS: Some form of adaptive rate limitation works for it btw =3DD
Folks should be deploying unicast-rpf facing their statically routed =
infrastructure. This includes server lans, PPPoE Pools, etc. Place the =
filtering at the edge where feasible. This would also include things =
like your firewall and other devices that shouldn't leak/emit spoofed =
packets. =20
If you don't know how to do this, or check on it, please ask around, =
either here or on cisco-nsp or juniper-nap for your platforms.
- Jared=
