RFC 2827 anyone? On Wed, Jun 16, 2010 at 9:38 PM, Roy <r.engehau...@gmail.com> wrote:
> On 6/16/2010 7:43 PM, Jon Lewis wrote: > >> On Thu, 17 Jun 2010, Mark Andrews wrote: >> >> Why was this traffic hitting your DNS server in the first place? It >>> should >>> have been rejected by the ingress filters preventing spoofing of the >>> local >>> network. >>> >> >> When I ran a smaller simpler network, I did have input filters on our >> transit providers rejecting packets from our IP space. With a larger >> network, multiple IP blocks, numerous multihomed customers, some of which >> use IP's we've assigned them, it gets a little more complicated to do. >> >> I could reject at our border, packets sourced from our IP ranges with >> exceptions for any of the IP blocks we've assigned to multihomed customers. >> The ACLs wouldn't be that long, or that hard to maintain. Is this common >> practice? >> >> - >> > > Sounds like a good use of URPF. > > >