[162175] in North American Network Operators' Group
Re: route for linx.net in Level3?
daemon@ATHENA.MIT.EDU (Tom Paseka)
Thu Apr 4 15:38:23 2013
In-Reply-To: <20130404192903.GA51151@ussenterprise.ufp.org>
Date: Thu, 4 Apr 2013 12:38:12 -0700
From: Tom Paseka <tom@cloudflare.com>
To: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Apr 4, 2013 at 12:29 PM, Leo Bicknell <bicknell@ufp.org> wrote:
>
> But hey, this is a good thing because a DDOS caused issues, right?
> Well, not so much. Even if the exchange does not advertise the
> exchange LAN, it's probably the case that it is in the IGP (or at
> least IBGP) of everyone connected to it, and by extension all of
> their customers with a default route pointed at them. For the most
> popular exchanges (AMS-IX, for instance) I suspect the percentage
> of end users who can reach the exchange LAN without it being
> explicitly routed to be well over 80%, perhaps into the upper 90%
> range. So when those boxes DDOS, they are going to all DDOS the
> LAN anyway.
Yes, thats why everyone needs to set up some sanity in their networks.
This was presented at an APNIC conference a little while back:
http://conference.apnic.net/__data/assets/pdf_file/0018/50706/apnic34-mike-jager-securing-ixp-connectivity_1346119861.pdf
hundreds of networks are improperly set up and are being abused (and
abusing) to the IXP LANs.
>
> Security through obscurity does not work. This is going to annoy some
> people just trying to do their day job, and not make a statistical
> difference to the attackers trying to take out infrastructure.
This isn't security through obscurity. This is saving the IXP from
getting 100's of G's over transit, which should just be for their
corporate network.
>
> How about we all properly implement BCP 38 instead?
Agree.
