What's interesting in all of this is that ISPrime has been experiencing this for most of this week, yet not them or any of us has shared a network that is sourcing this traffic.
I know I haven't bothered asking my upstream provider which backbone provider is sending them the "ISPrime" traffic, so I'm just as guilty as anyone. Frank -----Original Message----- From: Seth Mattinen [mailto:se...@rollernet.us] Sent: Friday, January 23, 2009 8:06 PM To: nanog@nanog.org Subject: Are we really this helpless? (Re: isprime DOS in progress) Noel Butler wrote: > On Sat, 2009-01-24 at 07:21, Chris McDonald wrote: > >> We [AS3491] null0'd the IP earlier. Rest-of-world encouraged to do the same >> :/ > > Wrong approach, they are *innocent* in this as are the new targets. > > insert into your favourite acl: > deny udp host 66.230.160.1 neq 53 any eq 53 > deny udp host 66.230.128.15 neq 53 any eq 53 > > But it's much less work to add a filter on the name server as others > have mentioned. Having the world trying to keep up with ACL entries seems futile. Is there really nothing to be done about this? (Yes, I know, BCP38, but obviously the accomplice providers don't care.) ~Seth
