Home page logo
/

nanog logo nanog mailing list archives

Re: SMURF amplifier block list
From: barton () cent net
Date: Sun, 12 Apr 1998 14:10:25 -0400 (EDT)

The following networks and masks are banned from our network at the core due
to being smurf amplifiers.

The earlier suggestion to use the vixie blackhole system was rebuffed 
because the volunteers are just that, and already overworked.

But re-using the existing infrastructure with suitable controls and
a modest amount of cooperation and agreement has enormous potential.

Using communities should be the key to safely adding different hit-lists
to AS-7777 feeds.

If current recipients of AS-7777 feeds could all simply add tests
for specific communities to the existing route-maps being used
to implement the black-holing, many different filters with
even radically different policies can coexist on the same feed
and each site can select which lists it chooses to use.

The vixie folks could take additional feeds from selected 3rd parties
and suitably tag these with the necessary communities, and yet not
have to actively maintain the additional lists themselves.

Paul's original list could be 7777:1, and perhaps the unsassigned 
address blocks should be 7777:2. Karl's list could be 7777:3

Problem areas would be when the same network is on several different
hit-lists and needs the communities of each, and the fact that I believe
the version of GATED Paul & Co. is running does not support communities.

A simplifying rule might be that if a network were already
on Pauls list(s) and tagged with 7777:1 or even combinations
of communities Paul maintained, it simply would not be
propagated with the addition 7777:3 community or whatever used for 
Karl's list.

If it dropped off Paul's list(s), Karl's feed tagged 7777:3 would 
then be used.

Perhaps the newer version of gated Paul hadn't yet installed a while ago
solves all this, or perhaps someone has an idle cisco to loan/give Paul 
that could enable using communities with low impact on the volunteers.

I wonder how many of the current recipients can handle adding a 
community list and then a match statement into their current
black-hole route-map so it only does the current function despite
additional lists being added, and if any remaining recipients unable 
or unwilling to deal with communities would mind using the 
additional filtering.

Subject to the current legal agreements Paul demands, perhaps
Karl could take Paul's current feed, the list of folks already
signed up and authorised for the feed but that want MORE lists
tagged with communities, and simply redistribute to them
with his own additions suitably tagged.

I don't know if they have changed, but the early AS-7777 instructions
emphasised using the IP address of *THE* port facing
towards Paul's machine. 

This is not necessary for this multi-hop application and may be
difficult in a multi-homed world in any case. A loopback works
well.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]