i noticed some pretty poor aggregation in some of the most recently
allocated address space tonight: (advertising as's withheld to
protect the innocent/guilty)
208.201.64.0/21
208.201.73.0
208.201.88.0/21
208.201.97.0
208.201.103.0
208.201.112.0/22
208.218.64.0/20
210.135.160.0/20
210.135.192.0/22
210.135.224.0/20
this seems especially bad with all the talk of better ways to
allocate and advertise so that we don't waste address space. i do
note that most of what i call poor aggregation appears to be due to
"dual homing". are we just doomed to poor aggregation because of
this?
or maybe i'm just naive in thinking the internic is really cracking
down on small allocations and that providers are really working hard
to aggregate.
-brett
Hmm. Maybe a neutral, 3rd-party agency to get dumps of tables from
major entities and which would send e-mail with suggested aggregations
to noc@theownerofeachoffendingasn.
I will make time to start running the route aggregator at routes.netaxs.com
again; we've been fighting a random-src-address-SYN-attacker for the last
week or two. I may have some comments on THAT for NANOG re: inter-provider
cooperation shortly.
Avi
==>
==>I will make time to start running the route aggregator at routes.netaxs.com
==>again; we've been fighting a random-src-address-SYN-attacker for the last
==>week or two. I may have some comments on THAT for NANOG re: inter-provider
==>cooperation shortly.
==>
==>Avi
==>
A friend of mine gave me a photocopy of a page in the latest 2600
magazine. It was the source code for a SYN flooder on Linux, with a
description of what it does and a notice on how it can really cause
denial-of-service attacks.
I can't remember if it also supplied the source for the source-spoof
kernel patch or not, but it does mention that you should use the
source-spoof patch to hide your identity.
So, what does this say? Look for more 13-year-olds causing
denial-of-service attacks for the hell of it. It seems a lot of the
providers SYN flooders like to attack are the ones which have IRC servers,
but the flooders attack the more traditional services of those providers,
too.
/cah
So, what does this say? Look for more 13-year-olds causing
denial-of-service attacks for the hell of it. It seems a lot of the
providers SYN flooders like to attack are the ones which have IRC servers,
but the flooders attack the more traditional services of those providers,
too.
My outbound filter blocks packets not from an address in my space. Am
I wrong in thinking this is the right thing for non-transit networks
to do?