[c-nsp] Dropping traffic based on source address

Tantsura, Jeff jtantsura at ugceurope.com
Fri Jul 1 04:35:56 EDT 2005 

Yes,

That's exactly the way of doing it, for more details look @Nanog.
You could use Zebra or alike to populate routes you want to be discarded.

500k is a lot, are you sure you are not going to drop valid one's?

--
Jeff Tantsura  CCIE# 11416
Senior IP Network Engineer


-----Original Message-----
From: Rodney Dunn [mailto:rodunn at cisco.com] 
Sent: 01 July 2005 06:10
To: Brad Gould
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Dropping traffic based on source address

I actually did some checking.

What you would do is turn on Loose uRPF and announce the
networks you want to drop with a next hop that points to Null0.
Just like you do for normal remote triggered blackhole filtering.

ip verify unicast source reachable-via any

But when you enable Loose uRPF if the lookup on the source
matches a Null0 interface you drop it.

On Thu, Jun 30, 2005 at 11:11:55PM -0400, Rodney Dunn wrote:
> Thinking out loud on this one...
> 
> But could you spoof the routing advertisement to make
> it look like it come in from a different interface
> and then enable uRPF and let it drop the traffic on ingress?
> 
> On Fri, Jul 01, 2005 at 11:47:11AM +0930, Brad Gould wrote:
> > Hi!
> > 
> > We have a (large) list of spamming evil hosts/networks we would like 
> > block from our mail servers. (~500k entries)
> > 
> > The list is being imported into the routing table via bgp, and we can 
> > drop the return path traffic, using PBR.  But the initial syn traffic is

> > getting through to the servers.
> > 
> > I'd like to drop the inbound traffic, based on its source address, but I

> > cant construct a sensible ACL - there are too many entries (around
500k).
> > 
> > But can I match based on known routes in the routing table, and apply 
> > that on the way into the network?
> > 
> > Any ideas?
> > 
> > Thanks
> > 
> > Brad
> > 
> > -- 
> > Brad Gould, Network Engineer
> > Internode
> > PO Box 284, Rundle Mall 5000
> > Level 3, 132 Grenfell Street, Adelaide 5000
> > P: 08 8228 2999  F: 08 8235 6999
> > bradley at internode.com.au; http://www.internode.on.net/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list