[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

On Mar 25, 2013, at 12:35 PM, Alain Hebert <ahebert at pubnix.net> wrote:

>    Well,
>    Why would you only go after them?
>    Easier target to mitigate the problem?
>    That might be just me, but I find those peers allowing their
> customers to spoof source IP addresses more at fault.
>    PS: Some form of adaptive rate limitation works for it btw =D

Folks should be deploying unicast-rpf facing their statically routed infrastructure.  This includes server lans, PPPoE Pools, etc.  Place the filtering at the edge where feasible.  This would also include things like your firewall and other devices that shouldn't leak/emit spoofed packets.  

If you don't know how to do this, or check on it, please ask around, either here or on cisco-nsp or juniper-nap for your platforms.

- Jared