It depends. Preventing packet flow from a rather more carefully selected list of prefixes may actually make sense.
These for example - www.spamhaus.org/drop/ Filtering prefixes that your customers may actually exchange valid email / traffic with, and that are not 100% bad is not the best way to go. Block specific prefixes from China, the USA, Eastern Europe, wherever - that are a specific threat to your network .. great. Even better if you are able to manage that blocking and avoid turning your router ACLs into a sort of Hotel California for prefixes. On Fri, Apr 9, 2010 at 11:52 AM, Daniel Karrenberg <daniel.karrenb...@ripe.net> wrote: > > > **** Selectively preventing packet flow is *not* a security measure. > > **** Selectively preventing packet flow leads to unexpected and hard to > diagnose breakage. > > **** Many independent actors selectively preventing packet flow will > eventually > partition the Internet sufficiently to break it beyond recognition. -- Suresh Ramasubramanian (ops.li...@gmail.com)
