Home page logo
/

nanog logo nanog mailing list archives

Re: route for linx.net in Level3?
From: Tom Paseka <tom () cloudflare com>
Date: Thu, 4 Apr 2013 12:38:12 -0700

On Thu, Apr 4, 2013 at 12:29 PM, Leo Bicknell <bicknell () ufp org> wrote:

But hey, this is a good thing because a DDOS caused issues, right?
Well, not so much.  Even if the exchange does not advertise the
exchange LAN, it's probably the case that it is in the IGP (or at
least IBGP) of everyone connected to it, and by extension all of
their customers with a default route pointed at them.  For the most
popular exchanges (AMS-IX, for instance) I suspect the percentage
of end users who can reach the exchange LAN without it being
explicitly routed to be well over 80%, perhaps into the upper 90%
range.  So when those boxes DDOS, they are going to all DDOS the
LAN anyway.


Yes, thats why everyone needs to set up some sanity in their networks.

This was presented at an APNIC conference a little while back:
http://conference.apnic.net/__data/assets/pdf_file/0018/50706/apnic34-mike-jager-securing-ixp-connectivity_1346119861.pdf

hundreds of networks are improperly set up and are being abused (and
abusing) to the IXP LANs.


Security through obscurity does not work.  This is going to annoy some
people just trying to do their day job, and not make a statistical
difference to the attackers trying to take out infrastructure.


This isn't security through obscurity. This is saving the IXP from
getting 100's of G's over transit, which should just be for their
corporate network.


How about we all properly implement BCP 38 instead?


Agree.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]