On 12/26/2015 06:19 AM, Mike Hammett wrote:
How much is an acceptable standard to the community? Individual /32s ( or /64s)? Some tipping point where 50% of a /24 (or whatever it's IPv6 equivalent would be) has made your naughty list that you block the whole prefix?
My gauge is volume of obnoxious traffic. When I get lots of SSH probes from a /32, I block the /32. When I get lots of SSH probes across a range of a /24, I block the /24. When I see that the bad traffic has caused me to block multiple /24s, I will block the entire allocation. By "lots" I mean hundreds or more. When the criminals try to bust my door down, I take stops to stop them. Ditto with attempts to relay mail through my mail servers. My goal isn't to reduce traffic. My goal is to stop irresponsible people from finding a rat-hole to do things I don't authorize them to do. Defense in depth. This is in addition to selecting the TCP and UDP ports carefully that I expose to the outside world. Indeed, I have separate ACLs for inbound, outbound, and DMZ ports. So, I've limited service from the inside to the outside to this:
# ---originated by LAN host to Internet FORWARD_TCP="ftp ssh snmp telnet smtp smtps submission domain http https ntp nicname rwhois pop3 pop3s imap imaps radius" FORWARD_TCP="$FORWARD_TCP 465 8008 webcache 8443 8888 snpp rsync" # xmpp-client FORWARD_TCP="$FORWARD_TCP 5222 5223 8002" # Microsoft Notification Protocol (msnp) [Messenger] FORWARD_TCP="$FORWARD_TCP 1863" # Microsoft PPTP FORWARD_TCP="$FORWARD_TCP 1723" # Timbuktu client, Service Ports 1-4 FORWARD_TCP="$FORWARD_TCP 407 1417:1420" # memoq FORWARD_TCP="$FORWARD_TCP 2705" # FORWARD_UDP="domain ntp snmp 407 443 500 1419 1701 1812 4500 snmp 3389 10000 55555 "
Your client base and my client base differ. I make NNAP difficult to use against the world from my people. But I don't hamstring them; if they want access to an outside service, they have but to ask. I also terminate spammers.