denied NS/IN
Mark Andrews
Mark_Andrews at isc.org
Wed Jan 21 23:25:14 UTC 2009
In message <1232561124.6369.187.camel at d410-heron>, "Niall O'Reilly" writes:
> On Wed, 2009-01-21 at 12:44 +1100, Mark Andrews wrote:
> > You should talk to your ISP to chase the traffic back to
> > its source and get BCP 38 implemented there. BCP 38 is ~10
> > years old now. There is no excuse for not filtering spoofed
> > traffic.
>
> Absolutely.
>
> Putting myself at the other end of the telescope, I'm wondering
> what tools (if any) are available for verifying that the ingress
> filtering actually in place is indeed compliant with BCP 38.
>
> I try to be conscientious, but drawing valid conclusions from
> visual inspection of the ACLs is already a challenge for my
> domestic network (3 LANs and an upstream). Enterprise (even
> with only one upstream) or ISP networks are likely more
> difficult to verify.
>
> Pointers for my next RTFM binge are welcome. Further discussion
> is probably off-topic for the bind-users list.
>
> /Niall
One way to test is to have a test box that sends spoofed traffic
to a machine you control. You should be able to detect acl
or other hits. Checking the acls regularly is also a way to
detect compromised machines that could be used for a different
badness.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list