This brings to mind the following (old) blog post from CloudFlare: https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/ Relevant excerpt here:
> Beyond attacking CloudFlare's direct peers, the attackers also attacked > the core IX infrastructure on the London Internet Exchange (LINX), the > Amsterdam Internet Exchange (AMS-IX), the Frankfurt Internet Exchange > (DE-CIX), and the Hong Kong Internet Exchange (HKIX). From our perspective, > the attacks had the largest effect on LINX which caused impact over the > exchange and LINX's systems that monitor the exchange, as visible through > the drop in traffic recorded by their monitoring systems. (Corrected: see > below for original phrasing.) > The congestion impacted many of the networks on the IXs, including > CloudFlare's. As problems were detected on the IX, we would route traffic > around them. However, several London-based CloudFlare users reported > intermittent issues over the last several days. This is the root cause of > those problems. > The attacks also exposed some vulnerabilities in the architecture of some > IXs. We, along with many other network security experts, worked with the > team at LINX to better secure themselves. In doing so, we developed a list > of best practices for any IX in order to make them less vulnerable to > attacks. > Two specific suggestions to limit attacks like this involve making it more > difficult to attack the IP addresses that members of the IX use to > interchange traffic between each other. We are working with IXs to ensure > that: 1) these IP addresses should not be announced as routable across the > public Internet; and 2) packets destined to these IP addresses should only > be permitted from other IX IP addresses. We've been very impressed with the > team at LINX and how quickly they've worked to implement these changes and > add additional security to their IX and are hopeful other IXs will quickly > follow their lead. On Thu, Dec 20, 2018 at 12:51 PM Dominic Schallert <d...@schallert.com> wrote: > Hi all, > > this might be a stupid question but today I was discussing with a > colleague if Peering-LAN prefixes should be re-distributed/announced to > direct customers/peers. My standpoint is that in any case, Peering-LAN > prefixes should be filtered and not announced to peers/customers because a > Peering-LAN represents some sort of DMZ and there is simply no need for > them to be reachable by third-parties not being physically connected to an > IXP themselves. Also from a security point of view, a lot of new issues > might occur in this situation. > > I’ve been seeing a few transit providers lately announcing (even > reachable) Peering-LAN prefixes (for example DE-CIX Peering LAN) to their > customers. I’m wondering if there is any document or RFC particularly > describing this matter? > > Thanks > Dominic >
