> It was blocked and I did verify it. A very small amount of our traffic
> comes in on PCCW and *they* were not honoring a tag that they've
> contractually agreed to honor. I can understand why it may be fun to
> make this look like a product of my own incompetence, and perhaps it
> is something I would have noticed if I wasn't busy responding to
> flames.
 
It may be a good policy going forward to do your own null-routes.  I realize 
that for a DDOS protection company, the ability to tag nullroutes upstream is 
handy, but you also need to nullroute the traffic on your own gear, or shut 
down the switch port.  Something that is completely independent of another 
organization, regardless of their contractual obligations to you.

If you were my employee, I would find the fact that you fat-fingered a 
nullroute to be highly concerning.  I would recommend that in addition to 
changing the way you do nullroutes, you also implement a change control policy 
which screens commands for approval before making configuration changes upon 
which your public declarations, and your reputation as a decent operator, rely.

Nathan Eisenberg


Reply via email to