nanog mailing list archives

Re: de-peering for security sake

From: Stephen Satchell <list () satchell net>
Date: Sat, 26 Dec 2015 07:09:28 -0800

On 12/26/2015 06:19 AM, Mike Hammett wrote:

How much is an acceptable standard to the community? Individual /32s
( or /64s)? Some tipping point where 50% of a /24 (or whatever it's
IPv6 equivalent would be) has made your naughty list that you block
the whole prefix?

My gauge is volume of obnoxious traffic. When I get lots of SSH probesfrom a /32, I block the /32. When I get lots of SSH probes across arange of a /24, I block the /24.

When I see that the bad traffic has caused me to block multiple /24s, Iwill block the entire allocation.

By "lots" I mean hundreds or more. When the criminals try to bust mydoor down, I take stops to stop them.


Ditto with attempts to relay mail through my mail servers.

My goal isn't to reduce traffic. My goal is to stop irresponsiblepeople from finding a rat-hole to do things I don't authorize them todo. Defense in depth.

This is in addition to selecting the TCP and UDP ports carefully that Iexpose to the outside world. Indeed, I have separate ACLs for inbound,outbound, and DMZ ports. So, I've limited service from the inside tothe outside to this:

#       ---originated by LAN host to Internet
FORWARD_TCP="ftp ssh snmp telnet smtp smtps submission domain http https ntp nicname rwhois pop3 pop3s imap imaps 
radius"
FORWARD_TCP="$FORWARD_TCP 465 8008 webcache 8443 8888 snpp rsync"
#           xmpp-client
FORWARD_TCP="$FORWARD_TCP 5222 5223 8002"
#           Microsoft Notification Protocol (msnp) [Messenger]
FORWARD_TCP="$FORWARD_TCP 1863"
#           Microsoft PPTP
FORWARD_TCP="$FORWARD_TCP 1723"
#           Timbuktu client, Service Ports 1-4
FORWARD_TCP="$FORWARD_TCP 407 1417:1420"
#           memoq
FORWARD_TCP="$FORWARD_TCP 2705"
#
FORWARD_UDP="domain ntp snmp 407 443 500 1419 1701 1812 4500 snmp 3389 10000 55555 "

Your client base and my client base differ. I make NNAP difficult touse against the world from my people. But I don't hamstring them; ifthey want access to an outside service, they have but to ask.


I also terminate spammers.

Current thread:

Re: de-peering for security sake, (continued)
- - - Re: de-peering for security sake Owen DeLong (Dec 24)
    - Re: de-peering for security sake Nick Hilliard (Dec 25)
    - Re: de-peering for security sake Daniel Corbe (Dec 25)
    - Re: de-peering for security sake Mike Hammett (Dec 25)
    - Re: de-peering for security sake Stephen Satchell (Dec 25)
    - Re: de-peering for security sake Daniel Corbe (Dec 25)
    - Re: de-peering for security sake Daniel Corbe (Dec 25)
    - Re: de-peering for security sake Owen DeLong (Dec 25)
    - Message not available
    - Re: de-peering for security sake Owen DeLong (Dec 25)
    - Re: de-peering for security sake Mike Hammett (Dec 26)
    - Re: de-peering for security sake Stephen Satchell (Dec 26)
    - Re: de-peering for security sake Baldur Norddahl (Dec 26)
    - Re: de-peering for security sake Mike Hammett (Dec 26)
    - Re: de-peering for security sake Joe Abley (Dec 26)
    - Re: de-peering for security sake William Waites (Dec 26)
    - Re: de-peering for security sake Owen DeLong (Dec 26)
    - Re: de-peering for security sake Matthew Petach (Dec 26)
    - Re: de-peering for security sake Owen DeLong (Dec 26)
    - Re: de-peering for security sake Valdis . Kletnieks (Dec 26)
    - Re: de-peering for security sake Baldur Norddahl (Dec 26)
    - Re: de-peering for security sake Owen DeLong (Dec 26)

(Thread continues...)