Simple, All stub autonomous systems should have a simple egress ACL allowing only PI of their customers and their own PAs -it’s a simple ACL at each AS-Exit points (towards transits/peers), that’s it. -not sure why this isn’t the first sentence in every BCP and “security bulletin”… adam From: NANOG <nanog-bounces+adamv0025=netconsultings.com@nanog.org> On Behalf Of Baldur Norddahl Sent: Thursday, October 15, 2020 8:38 AM To: nanog@nanog.org Subject: Re: Ingress filtering on transits, peers, and IX ports All DNS resolvers discovered on our network belong to customers. Our own resolvers, running unbound, were not discovered. While filtering same AS on ingress could help those customers (but only one was a open relay), filtering bogons is something the customer can also do. Or the software can be fixed. Do we really expect the ISP to implement firewalls instead of customers upgrading software? I also note that apparently our own ISPs (transits) do not filter bogons either. The above is a principal question. I am going to filter bogons, it just is not very high on my long list of stuff to do. Regards Baldur ons. 14. okt. 2020 20.53 skrev Casey Deccio <casey@deccio.net <mailto:casey@deccio.net> >: Hi Bryan,
On Oct 14, 2020, at 12:43 PM, Bryan Holloway <bryan@shout.net <mailto:bryan@shout.net> > wrote:
I too would like to know more about their methodology
We've written up our methodology and results in a paper that will be available in a few weeks. Happy to post it here if folks are interested. Obviously, no networks are individually identified; it's all aggregate. Also, we're working on a self-test tool, but it's not quite ready yet. Sorry.
and actual tangibles ideally in the form of PCAPs.
What do you mean by "tangibles in the form of PCAPs"? Casey