North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Defeating DoS Attacks Through Accountability

  • From: Mark Mentovai
  • Date: Sat Nov 11 11:30:07 2000

Mark Prior wrote:
>It's not the route filters per se, it's the fact that the principle we
>use is if you don't announce the route to us we won't accept traffic
>sourced by that network. Saying that you are the source for the
>network but not advertising the route doesn't cut it.

Not so fast, there are situations when you are authorized to have a certain
chunk of address space but elect not to advertise it a certain way for
whatever reason.  Maybe someone has a pipe that they want to use for
outbound traffic only and they don't want to use it at all inbound traffic,
and as a result, they don't advertise their routes across it.  What
justification do you use for dropping traffic that falls into this category?

Obviously, I wouldn't want a situation where I could simply give my provider
a list of addresses for them to permit without checking that I'm authorized
- providers should always check that their customers are authorized to use
the blocks they intend to use.

I'll put it this way: filtering should be done against blocks that a
customer can announce, not against blocks that a customer is actively
announcing.  If you're filtering purely against current advertisements,
you're bound to break something sooner or later.