What's interesting in all of this is that ISPrime has been experiencing this 
for most of this week, yet not them or any of us has shared a network that is 
sourcing this traffic.

I know I haven't bothered asking my upstream provider which backbone provider 
is sending them the "ISPrime" traffic, so I'm just as guilty as anyone.

Frank

-----Original Message-----
From: Seth Mattinen [mailto:se...@rollernet.us] 
Sent: Friday, January 23, 2009 8:06 PM
To: nanog@nanog.org
Subject: Are we really this helpless? (Re: isprime DOS in progress)

Noel Butler wrote:
> On Sat, 2009-01-24 at 07:21, Chris McDonald wrote:
>
>> We [AS3491] null0'd the IP earlier.  Rest-of-world encouraged to do the same 
>> :/
>
> Wrong approach, they are *innocent* in this as are the new targets.
>
> insert into your favourite acl:
> deny udp host 66.230.160.1 neq 53 any eq 53
> deny udp host 66.230.128.15 neq 53 any eq 53
>
> But it's much less work to add a filter on the name server as others
> have mentioned.

Having the world trying to keep up with ACL entries seems futile. Is
there really nothing to be done about this? (Yes, I know, BCP38, but
obviously the accomplice providers don't care.)

~Seth


Reply via email to