North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Defeating DoS Attacks Through Accountability

  • From: John Fraizer
  • Date: Sat Nov 11 22:36:32 2000

On Sat, 11 Nov 2000, Mark Mentovai wrote:

> Barry Raveendran Greene wrote:
> >> I'll put it this way: filtering should be done against blocks that a
> >> customer can announce, not against blocks that a customer is actively
> >> announcing.  If you're filtering purely against current advertisements,
> >> you're bound to break something sooner or later.
> >
> >Good theory. But what one public source do all the ISP agree to validate the
> >authority to announce?
> Regional IP address allocating bodies - in other words, ARIN.  If you aren't
> listed as responsible for the block in question, you should either have the
> information updated (SWIP or rwhois) or obtain written authorization from a
> representative of the organization controlling the block.  It's far from
> perfect because enthusiasm for providing accurate data via SWIP and rwhois
> doesn't really exist as it should, but it's probably the best anyone can
> come up with.  Perhaps putting SWIP and rwhois data to a good use such as
> this would increase awareness of it and cause the databases to become more
> appropriately populated.
> Mark

Filtering based on assigned/allocated address space should be the norm,
not the exception.  If a customer isn't listed in the ARIN database, or
whichever RIR has authority for the address space in question, we won't
accept announcements from them for that space, period, the end.  If the
entity who assigned/allocated the address space to them is unwilling to
provide up-to-date information via SWIP/RWHOIS, we are very happy to point
out to the customer how lazy/stupid/irresponsible that entity is and
explain our reasons for not accepting announcements for said address

We have run into some delays with providers when we obtained new address
space and needed to announce it.  The prefix-list filters that were in
place said "I don't think so!"  So, it took 20 mins to get someone with
the authority to change the prefix-list on the phone and another 5 minutes
for them to change the prefix-list and another 30 seconds for me to type
"clear ip bgp NNNN soft out".  It's a small price to pay for the peace of
mind of knowing that in the event we misconfigure something, we're not
going to leak transit routes, default, blah blah blah into the global
routing table.

John Fraizer
EnterZone, Inc