[c-nsp] Dropping traffic based on source address
Arie Vayner
arievayner at gmail.com
Fri Jul 1 06:36:37 EDT 2005
You have to keep in mind that you are going to drop ALL ip traffic and
not only specific ports in that way, so 500K hosts does sound too
much...
Another point is to try and aggregate the 500K hosts to larger
prefixes instead of having 500K host routes (which is like holding >3
times the Internet routing table just for blocking...)
Arie
CCIE #12198
On 7/1/05, Tantsura, Jeff <jtantsura at ugceurope.com> wrote:
> Yes,
>
> That's exactly the way of doing it, for more details look @Nanog.
> You could use Zebra or alike to populate routes you want to be discarded.
>
> 500k is a lot, are you sure you are not going to drop valid one's?
>
> --
> Jeff Tantsura CCIE# 11416
> Senior IP Network Engineer
>
>
> -----Original Message-----
> From: Rodney Dunn [mailto:rodunn at cisco.com]
> Sent: 01 July 2005 06:10
> To: Brad Gould
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Dropping traffic based on source address
>
> I actually did some checking.
>
> What you would do is turn on Loose uRPF and announce the
> networks you want to drop with a next hop that points to Null0.
> Just like you do for normal remote triggered blackhole filtering.
>
> ip verify unicast source reachable-via any
>
> But when you enable Loose uRPF if the lookup on the source
> matches a Null0 interface you drop it.
>
> On Thu, Jun 30, 2005 at 11:11:55PM -0400, Rodney Dunn wrote:
> > Thinking out loud on this one...
> >
> > But could you spoof the routing advertisement to make
> > it look like it come in from a different interface
> > and then enable uRPF and let it drop the traffic on ingress?
> >
> > On Fri, Jul 01, 2005 at 11:47:11AM +0930, Brad Gould wrote:
> > > Hi!
> > >
> > > We have a (large) list of spamming evil hosts/networks we would like
> > > block from our mail servers. (~500k entries)
> > >
> > > The list is being imported into the routing table via bgp, and we can
> > > drop the return path traffic, using PBR. But the initial syn traffic is
>
> > > getting through to the servers.
> > >
> > > I'd like to drop the inbound traffic, based on its source address, but I
>
> > > cant construct a sensible ACL - there are too many entries (around
> 500k).
> > >
> > > But can I match based on known routes in the routing table, and apply
> > > that on the way into the network?
> > >
> > > Any ideas?
> > >
> > > Thanks
> > >
> > > Brad
> > >
> > > --
> > > Brad Gould, Network Engineer
> > > Internode
> > > PO Box 284, Rundle Mall 5000
> > > Level 3, 132 Grenfell Street, Adelaide 5000
> > > P: 08 8228 2999 F: 08 8235 6999
> > > bradley at internode.com.au; http://www.internode.on.net/
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list