> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of William > Herrin > Sent: Thursday, October 04, 2018 8:53 PM > > > - RFC 1918 for loopbacks and PTP > > - Immediately “protects” from the internet at large, as they aren’t > routable. > > - Traceroutes are miserable. > > Also breaks PMTUD which can break TCP for everybody whose packets > transit your router. So don't do this. > Only if you have lower MTU on your core links than on your edge -which is a huge design flaw. Also most of the internet backbones out there are MPLS based meaning the traceroutes are well "sparse" to say at least, so I wouldn't worry about this that much.
> Another option is to let it be announced but filter the packets at your > border. > That defeats the whole purpose of this exercise. Yes we all use infrastructure ACLs to protect our infrastructure, but if the infra-block is advertised the DDoS is still delivered to your doorstep even if you filter it at the edge interfaces the damage has been done already -as your upstream pipes are full. If your infra-ranges are not advertised your infrastructure simply can't be targeted by any DDoS attack. adam
