On Tue, 30 Jun 2015, Sandra Murphy wrote:
On Jun 30, 2015, at 10:39 AM, "Justin M. Streiner" <streiner@cluebyfour.org> wrote:
At a minimum, AS-PATH filtering of outgoing routes to just your ASN(s) and your downstream customer ASNs. Whether this is done manually, built using AS-SETs from your route registry of choice, or through some other automated means is another story.
That sort of AS_PATH filtering would not have helped in this case. The AS originated the routes, it did not propagate an upstream route.
I didn't realise they offending AS was originating those routes, rather than propagating the existing ones.
So an AS_PATH filter to just its own AS would have passed these routes.
That's why I suggested it as a minimum precaution. When I worked in the service provider world, we did prefix + AS-PATH filtering + max-prefix, which was pretty effective in keeping BGP-borne madness down to a dull roar. Would that stop everything? No, but it did help a lot. I still work in a BGP-speaking organization - just not one that has downstream BGP-speaking customers at this point.
You would need origin validation on your outbound routes. Job suggested prefix filters on outbound routes. (If you are doing prefix filters on your inbound customer links, it might be excessive caution to also prefix filter customers prefixes on outbound links? Or is it: you can never be too careful, belt-and-suspenders, measure twice, etc?)
It depends on how much automation can be done to update the necessary filters and AS-PATH ACLs, and how much you trust both the automation method and the data source for those filters. jms