> Hi,
>
> I agree with seeing no traffic to/from 66.230.128.15 but am still
> seeing flows 'from' 66.230.160.1
>
> Regards,
> SteveHi Steve,
There is at least an iptables rule you can use to drop this specific
query, assuming your nameservers run linux.http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursiv
e-queries/The bind-users mailing list suggested having the ISPs trace back the
flows and find the networks emitting the spoofed packets, and have
those networks implement BCP 38.
It was also said here.
While that's the 'right' solution
(everyone should be doing ingress filtering, sure, impossible to argue
against it), not every network out there is operated by people who
give a damn.
I would suggest that you don't want to peer with such
networks.
I would suggest that deploying BCP 38 be a requirement for
peering.