Just wondering if anyone has any words of caution ("False positives! Avoid
FULLBOGONS and Spamhaus!"), or words of praise ("Do it all! These services
are wonderful!") before we take the plunge.
A DoS or DDoS is pure bandwidth wars for the most part, if someone is to DoS you, they already have your IP's and urls they need to attack you, thus a spam list won't stop an attack.
These really won't do anything to stop DoS attacks. Common DDoS attack traffic these days comes via reflection from non-spoofed sources replying to a spoofed public IP target.
Same here. Whether or not its worth null routing unallocated IP space may be debatable, but again, it't not going to help protect you from a typical real DDoS.
We're a little more leery about trying Spamhaus's BGPf service (DROP, EDROP
and BCL,
This is more about stopping spam from entering your network and stopping compromised hosts on your network from becoming active in botnets (by cutting off their command and control).
DROP (Don't Route Or Peer) and EDROP are advisory "drop all traffic"
lists, consisting of netblocks that are "hijacked" or leased by professional
spam or cyber-crime operations (used for dissemination of malware,
trojan downloaders, botnet controllers). The DROP and EDROP lists are
a tiny subset of the SBL, designed for use by firewalls and routing
equipment to filter out the malicious traffic from these netblocks.