Team Cymru / Spamhaus
Hi all, We're evaluating whether to add BGP feeds from these two sources in attempt to minimize exposure to DoS. The Team Cymru BOGON list ( http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt or http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt ) looks promising and common-sense. We already filter RFC1918 inbound at our edge, and are interested to see if adding the rest of the blocks will have a significant positive effect. If it does, we're planning to try the IPv4 FULLBOGON list: http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt We're a little more leery about trying Spamhaus's BGPf service (DROP, EDROP and BCL, http://www.spamhaus.org/bgpf/ ) because we really want to avoid false positives. Just wondering if anyone has any words of caution ("False positives! Avoid FULLBOGONS and Spamhaus!"), or words of praise ("Do it all! These services are wonderful!") before we take the plunge. Thanks, Adam
That wont stop a DoS. A DoS or DDoS is pure bandwidth wars for the most part, if someone is to DoS you, they already have your IP's and urls they need to attack you, thus a spam list won't stop an attack. If you want to minimize actual spam, sure. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Adam Greene Sent: Friday, June 27, 2014 9:18 AM To: 'NANOG list' Subject: Team Cymru / Spamhaus Hi all, We're evaluating whether to add BGP feeds from these two sources in attempt to minimize exposure to DoS. The Team Cymru BOGON list ( http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt or http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt ) looks promising and common-sense. We already filter RFC1918 inbound at our edge, and are interested to see if adding the rest of the blocks will have a significant positive effect. If it does, we're planning to try the IPv4 FULLBOGON list: http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt We're a little more leery about trying Spamhaus's BGPf service (DROP, EDROP and BCL, http://www.spamhaus.org/bgpf/ ) because we really want to avoid false positives. Just wondering if anyone has any words of caution ("False positives! Avoid FULLBOGONS and Spamhaus!"), or words of praise ("Do it all! These services are wonderful!") before we take the plunge. Thanks, Adam
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Could I also encourage you to do anti-spoofing filtering, a la BCP38? - - ferg On 6/27/2014 8:17 AM, Adam Greene wrote:
Hi all,
We're evaluating whether to add BGP feeds from these two sources in attempt to minimize exposure to DoS.
The Team Cymru BOGON list (
http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt or
http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
)
looks promising and common-sense.
We already filter RFC1918 inbound at our edge, and are interested to see if adding the rest of the blocks will have a significant positive effect.
If it does, we're planning to try the IPv4 FULLBOGON list:
http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
We're a little more leery about trying Spamhaus's BGPf service (DROP, EDROP and BCL,
)
because we really want to avoid false positives.
Just wondering if anyone has any words of caution ("False positives! Avoid FULLBOGONS and Spamhaus!"), or words of praise ("Do it all! These services are wonderful!") before we take the plunge.
Thanks,
Adam
- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlOtj3kACgkQKJasdVTchbI5hQD/f0DsWNUsebLOX1Io8MqPWmAl JnlMX5cRxNxXgSNEAnoBAMuXCeSHCJvI8jsL6PaGTbh2GA6uktcYpOEfnlG5xfLC =DmDv -----END PGP SIGNATURE-----
On Fri, 27 Jun 2014, Adam Greene wrote:
We're evaluating whether to add BGP feeds from these two sources in attempt to minimize exposure to DoS.
The Team Cymru BOGON list (
http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt or
These really won't do anything to stop DoS attacks. Common DDoS attack traffic these days comes via reflection from non-spoofed sources replying to a spoofed public IP target.
http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
Same here. Whether or not its worth null routing unallocated IP space may be debatable, but again, it't not going to help protect you from a typical real DDoS.
We're a little more leery about trying Spamhaus's BGPf service (DROP, EDROP and BCL,
This is more about stopping spam from entering your network and stopping compromised hosts on your network from becoming active in botnets (by cutting off their command and control). ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Fri, Jun 27, 2014 at 10:40 PM, Jon Lewis <jlewis@lewis.org> wrote:
We're a little more leery about trying Spamhaus's BGPf service (DROP, EDROP and BCL,
This is more about stopping spam from entering your network and stopping compromised hosts on your network from becoming active in botnets (by cutting off their command and control).
Not quite. DROP (Don't Route Or Peer) and EDROP are advisory "drop all traffic" lists, consisting of netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The DROP and EDROP lists are a tiny subset of the SBL, designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks. (Source: http://www.spamhaus.org/drop/, linked from the URL quoted above) -- Matthias
+1, blanket banning is probably not the best way to go. On 6/28/2014 午前 05:40, Jon Lewis wrote:
On Fri, 27 Jun 2014, Adam Greene wrote:
We're evaluating whether to add BGP feeds from these two sources in attempt to minimize exposure to DoS.
The Team Cymru BOGON list (
http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt or
These really won't do anything to stop DoS attacks. Common DDoS attack traffic these days comes via reflection from non-spoofed sources replying to a spoofed public IP target.
http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
Same here. Whether or not its worth null routing unallocated IP space may be debatable, but again, it't not going to help protect you from a typical real DDoS.
We're a little more leery about trying Spamhaus's BGPf service (DROP, EDROP and BCL,
This is more about stopping spam from entering your network and stopping compromised hosts on your network from becoming active in botnets (by cutting off their command and control).
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
participants (6)
-
Adam Greene -
Jon Lewis -
Matthias Leisi -
Paul Ferguson -
Paul S. -
SysIT