Home page logo
/

nanog logo nanog mailing list archives

Re: Alternic takes over Internic traffic
From: Dorn Hetzel <dorn () atl eni net>
Date: Tue, 15 Jul 1997 17:17:58 -0400


Since we run OSPF internally, we find it easier to do this by 
setting up a 2501 (dedicated to the task) with static routes
pointing into a loopback interface which is filtered with an
access list to block all packets.  The static routes are
redistributed into OSPF, which caused each static to suck
packets bound from anywhere in our network into the filter,
kill them, and log them.  Of course, there is no risk of the
OSPF leaking to the outside world, though it covers our network
nicely, and we get logging of attempted replies to these
sites.  Since OSPF is nicely classless, we block anythink from
a /32 up...

        -Dorn Hetzel
        Epoch Internet

On Tue, Jul 15, 1997 at 04:36:58PM +0100, Alex.Bligh wrote:
[shock - operational ingredient to DNS issue on NANOG]

I feel that a convenient way to filter out crud that polutes
your DNS (or any other crud for that matter) might be:
a) Configure a normally non-BGP speaking router in your IGP to
   run BGP under AS (say) 7778.
b) Static the routes to all alternic's primary name servers to null0:
   (or better to a non-existent IP on an ethernet interface)
c) redistribute these statics into BGP through a routemap if necessary.
d) Set up peering with a router running BGP tagging the routes as
   no-export (make sure you don't distribute them to peers or customers).

(credit to Paul Vixie for the "how to blackhole traffic" for spam
reasons which I've borrowed here - *PAUL DID NOT RECOMMEND DOING THIS
FOR DNS TRAFFIC - THIS IS ENTIRELY MY IDEA*).

We're just about to do this. I'll tell you how it goes.

Alex Bligh
Xara Networks

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]