In message <pine.lnx.4.61.1006162237180.5...@soloth.lewis.org>, Jon Lewis write s: > On Thu, 17 Jun 2010, Mark Andrews wrote: > > > Why was this traffic hitting your DNS server in the first place? It should > > have been rejected by the ingress filters preventing spoofing of the local > > network. > > When I ran a smaller simpler network, I did have input filters on our > transit providers rejecting packets from our IP space. With a larger > network, multiple IP blocks, numerous multihomed customers, some of which > use IP's we've assigned them, it gets a little more complicated to do.
One can never do a perfect job but one can stop a large percentage of the crap. You should know the multi-homed customers and their address ranges so they become exceptions. You also run filters on internal routers. There are internal ingress/egress points as well as interconnects. > I could reject at our border, packets sourced from our IP ranges with > exceptions for any of the IP blocks we've assigned to multihomed > customers. The ACLs wouldn't be that long, or that hard to maintain. Is > this common practice? > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org