North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
i've been tracking some spammers through unallocated address space of late. i'm about to have to turn on extreme-level debugging in my bgp speaker, since what's been happening is that a route is injected "somewhere" to unallocated space, a whole boatload of relayspam is unloaded in a matter of minutes, and the unallocated-space route is withdrawn. so i read with some interest the recent nanog discussions about how folks knew that a given customer really was the owner of some prefix they wanted to use. while i heard some good answers from some well known parties, the silence from the ramparts was deafening. a lot of younger ISP's inject their IGP into their EGP. we hear about this when autoaggregation fails, but we don't hear about it when routing table bloat doesn't cause us to focus our attention on it. older ISP's all or mostly all know that everything they inject into their EGP should be a nailed up static, and that the multihomed exceptions are few enough to treat as one-off's. however, when you set up BGP peerage with somebody, you're at the mercy of whatever level of selectivity they use in their injections. that is, most folks do not use RPSL or the PRDB or whatever to control what they'll listen to from a BGP peer. the assumption of trust and competence still runs high among people who speak BGP to each other. so the question that's got me perturbed at the moment is, if a spammer wanted to spam from unallocated address space using five minute windows, would YOUR routing core allow it? subquestion 1: if the spammer is your customer. subquestion 2: if the spammer is a customer of one of your BGP peers. subquestion 3: if the spamemr is a customer of a distant BGP-connected AS. i've sent reply-to to myself. i will summarize responses back to the list.