On Thu, Apr 4, 2013 at 12:29 PM, Leo Bicknell <bicknell@ufp.org> wrote:
But hey, this is a good thing because a DDOS caused issues, right? Well, not so much. Even if the exchange does not advertise the exchange LAN, it's probably the case that it is in the IGP (or at least IBGP) of everyone connected to it, and by extension all of their customers with a default route pointed at them. For the most popular exchanges (AMS-IX, for instance) I suspect the percentage of end users who can reach the exchange LAN without it being explicitly routed to be well over 80%, perhaps into the upper 90% range. So when those boxes DDOS, they are going to all DDOS the LAN anyway.
Yes, thats why everyone needs to set up some sanity in their networks. This was presented at an APNIC conference a little while back: http://conference.apnic.net/__data/assets/pdf_file/0018/50706/apnic34-mike-j... hundreds of networks are improperly set up and are being abused (and abusing) to the IXP LANs.
Security through obscurity does not work. This is going to annoy some people just trying to do their day job, and not make a statistical difference to the attackers trying to take out infrastructure.
This isn't security through obscurity. This is saving the IXP from getting 100's of G's over transit, which should just be for their corporate network.
How about we all properly implement BCP 38 instead?
Agree.