[c-nsp] Dropping traffic based on source address

David J. Hughes bambi at Hughes.com.au
Fri Jul 1 00:30:06 EDT 2005


Grrrr.  Forgot the mention the loose uRPF bit.  Thanks for filling in 
the holes of my suggestion for me Rodney.


David
(it's been a long week :)


On 01/07/2005, at 2:14 PM, David J. Hughes wrote:

>
> Why not set the next-hop of the prefixes to an IP that you static route
> to Null0 on all your borders.  Using Zebra / Quagga for example you can
> inject into iBGP with a pre-set next-hop.
>
>
> David
> ...
>
> On 01/07/2005, at 12:17 PM, Brad Gould wrote:
>
>> Hi!
>>
>> We have a (large) list of spamming evil hosts/networks we would like
>> block from our mail servers. (~500k entries)
>>
>> The list is being imported into the routing table via bgp, and we can
>> drop the return path traffic, using PBR.  But the initial syn traffic
>> is
>> getting through to the servers.
>>
>> I'd like to drop the inbound traffic, based on its source address, but
>> I
>> cant construct a sensible ACL - there are too many entries (around
>> 500k).
>>
>> But can I match based on known routes in the routing table, and apply
>> that on the way into the network?
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list