On Tue, 5 Nov 2002, Eric Germann wrote: :Anyone want to admit privately (I'll summarize to the list) if they actively :filter certain partitions of APNIC space? I realize that you have asked for private replies, but I think this might be useful to the rest of the list, albeit merely my opinion. While you may see positive results from filtering packets based on geopolitical indicators like .cn and .kr, judging by the kind of attacks this filtering has mitigated for you, there is nothing to indicate that this behaviour is caused by anything meaningfully endemic to these geographic regions. It's obviously going to be a touchy subject. However, it is worth noting that the attacks you are seeing are caused primarily by virus infections of hosts registered to a NIC that happens to serve a massive number of people. My question would be, once %85 of these attacks were stopped by your filters, what was the breakdown of attack sources for the remaining %15, and given that remainder, what percentage of those attacks could be stopped by filtering prefixes registered to a specific NIC? :Thoughts? Is it a valid thesis? I've seen the discussions for spam :mitigation, etc via DNS, but this is actually null routing all their :traffic. It depends on the thesis, as you are obviously seeing results which support the idea that there are a signifigant number of virus infections which originate from a part of the Internet represented by their registration with a particular NIC. What the thesis does not address is whether the number of infections per subnet is higher than in a similar sample size from another region, if such a sample size exists, and whether the common thread of a NIC registration establishes causality strongly enough to warrant taking action against networks based on their NIC. Also, if you were to link the infection rate of hosts with some external indicator like geographic region, or worse, some alleged political or cultural predisposition, it would be a conjecture that could undermine the value of your analysis. So, it's definitely useful to look at, but linking it to external things like geography and politics turns it into a political analysis, which in turn becomes political ammunition. What about mapping it by something more relevant to the structure of the network like say, ASNs? Cheers, -- batz