Re: BCP38/84 and DDoS ACLs

2017-06-01 Thread Matthew Luckie
> This doesn't seem quite like it is BCP38 and more like this is > BCP84, but it only talks about use of ACLs in section 2.1 without > providing any examples. Given that it is also 13 years old I thought > there might be fresher information out there. section 2.1 is about permitting packets from s

Re: BCP38/84 and DDoS ACLs

2017-05-29 Thread Rabbi Rob Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear team, > Your bogon list has a few non-bogons, and is missing a few current > bogon. > > Team Cymru keep a good resource for this: http://www.team-cymru. > org/bogon-dotted-decimal.html Thank you, Dave! The full list of formats and styles ca

Re: BCP38/84 and DDoS ACLs

2017-05-27 Thread Dave Bell
Your bogon list has a few non-bogons, and is missing a few current bogon. Team Cymru keep a good resource for this: http://www.team-cymru. org/bogon-dotted-decimal.html Regards, Dave On 26 May 2017 5:01 pm, "Compton, Rich A" wrote: > To block UDP port 19 you can add something like: > deny udp

Re: BCP38/84 and DDoS ACLs

2017-05-26 Thread joel jaeggli
air therefore does not accept > liability for any errors or omissions in the contents of this message, which > arise as a result of e-mail transmission. . > > -Original Message- > From: NANOG [mailto:nanog-bounces+kvicknair=reservetele@nanog.org] On > Behalf Of Rolan

Re: BCP38/84 and DDoS ACLs

2017-05-26 Thread Randy Bush
to be honest, i do not block chargen etc at my borders; i scan hosts and turn off silly services on the hosts. but i do not have myriads of hosts in a soft gooey inside. what i block at my borders are 135-139, 161 (except for holes for measurement stations), 445, 514, stuff such as that. ykmv r

Re: BCP38/84 and DDoS ACLs

2017-05-26 Thread Roland Dobbins
On 27 May 2017, at 0:19, Roland Dobbins wrote: > This is the correct URI for the first preso, apologies: --- Roland Dobbins

Re: BCP38/84 and DDoS ACLs

2017-05-26 Thread Roland Dobbins
On 27 May 2017, at 0:54, valdis.kletni...@vt.edu wrote: > I'll go out on a limb and suggest that except for a very basic home/SOHO > network, "You may need" should be "You will probably need". Concur, heh. --- Roland Dobbins

Re: BCP38/84 and DDoS ACLs

2017-05-26 Thread valdis . kletnieks
On Sat, 27 May 2017 00:19:34 +0700, Roland Dobbins said: > servers/services/applications/users you have, et. al. You may need one > set of ACLs at the peering/transit edge, and other, more specific ACLs, > at the IDC distribution gateway, customer aggregation gateway, et. al. I'll go out on a li

RE: BCP38/84 and DDoS ACLs

2017-05-26 Thread Kody Vicknair
ssage- From: NANOG [mailto:nanog-bounces+kvicknair=reservetele@nanog.org] On Behalf Of Roland Dobbins Sent: Friday, May 26, 2017 12:20 PM To: nanog@nanog.org Subject: Re: BCP38/84 and DDoS ACLs On 26 May 2017, at 22:39, Graham Johnston wrote: > I am looking for information regarding stand

Re: BCP38/84 and DDoS ACLs

2017-05-26 Thread Roland Dobbins
On 26 May 2017, at 22:39, Graham Johnston wrote: I am looking for information regarding standard ACLs that operators may be using at the internet edge of their network, on peering and transit connections, These .pdf presos may be of interest:

Re: BCP38/84 and DDoS ACLs

2017-05-26 Thread Compton, Rich A
To block UDP port 19 you can add something like: deny udp any eq 19 any deny udp any any eq 19 This will prevent the DDoS attack traffic entering your network (source port 19) as well as the hosts scanning around looking for hosts on your network that can be used in amplification attacks (destinat