On 5/26/17 10:24, Kody Vicknair wrote: > When I was doing some research in regards to the same subject I ran across > this doc. I've found it to be very helpful. > > http://nabcop.org/index.php/DDoS-DoS-attack-BCOP Causally applied RPF checks applied to transit and peer interfaces especially exchange fabrics have a very high-liklihood of blackholing traffic you wanted particularly during maintenance if not casually implemented. A very careful read rfc3704/bcp 84 is a necessary part of implementing bcp 38 filters.
> > > Kody Vicknair > Network Engineer > > Tel: 985.536.1214 > Fax: 985.536.0300 > Email: [email protected] > > Reserve Telecommunications > 100 RTC Dr > Reserve, LA 70084 > > _________________________________________________________________________________________________ > > Disclaimer: > The information transmitted, including attachments, is intended only for the > person(s) or entity to which it is addressed and may contain confidential > and/or privileged material which should not disseminate, distribute or be > copied. Please notify Kody Vicknair immediately by e-mail if you have > received this e-mail by mistake and delete this e-mail from your system. > E-mail transmission cannot be guaranteed to be secure or error-free as > information could be intercepted, corrupted, lost, destroyed, arrive late or > incomplete, or contain viruses. Kody Vicknair therefore does not accept > liability for any errors or omissions in the contents of this message, which > arise as a result of e-mail transmission. . > > -----Original Message----- > From: NANOG [mailto:[email protected]] On > Behalf Of Roland Dobbins > Sent: Friday, May 26, 2017 12:20 PM > To: [email protected] > Subject: Re: BCP38/84 and DDoS ACLs > > > On 26 May 2017, at 22:39, Graham Johnston wrote: > >> I am looking for information regarding standard ACLs that operators >> may be using at the internet edge of their network, on peering and >> transit connections, > These .pdf presos may be of interest: > > <https://app.box.com/s/ko8lk4vlh1835p36na3u> > > <https://app.box.com/s/xznjloitly2apixr5xge> > > They talk about iACL and tACL design philosophy. > > What traffic you should permit/deny on your network is, of course, > situationally-specific. Depends on what kind of network it is, what > servers/services/applications/users you have, et. al. You may need one set > of ACLs at the peering/transit edge, and other, more specific ACLs, at the > IDC distribution gateway, customer aggregation gateway, et. al. > > ----------------------------------- > Roland Dobbins <[email protected]> >
signature.asc
Description: OpenPGP digital signature
