On 2019-06-24 20:16, Mark Tinka wrote: > > > On 24/Jun/19 16:11, Job Snijders wrote: > >> >> - deploy RPKI based BGP Origin validation (with invalid == reject) >> - apply maximum prefix limits on all EBGP sessions >> - ask your router vendor to comply with RFC 8212 ('default deny') >> - turn off your 'BGP optimizers' > > I cannot over-emphasize the above, especially the BGP optimizers. > > Mark. >
+1 https://honestnetworker.net/2019/06/24/leaking-your-optimized-routes-to-stub-networks-that-then-leak-it-to-a-tier1-transit-that-doesnt-filter/ -- hugge