Blackholing APNIC Routes (or a subset of)
Anyone want to admit privately (I'll summarize to the list) if they actively filter certain partitions of APNIC space? We did a little experiment the past couple of days and saw at 85% of our port 13[5-9] scans, Code Red/Nimda/formmail attempts, etc. go out the door by blackholing those networks in .cn and .kr. Thoughts? Is it a valid thesis? I've seen the discussions for spam mitigation, etc via DNS, but this is actually null routing all their traffic. Eric ========================================================================== Eric Germann CCTec ekgermann@cctec.com Van Wert OH 45801 http://www.cctec.com Ph: 419 968 2640 Fax: 603 825 5893 "The fact that there are actually ways of knowing and characterizing the extent of one’s ignorance, while still remaining ignorant, may ultimately be more interesting and useful to people than Yarkovsky" -- Jon Giorgini of NASA’s Jet Propulsion Laboratory
On Tuesday, Nov 5, 2002, at 15:22 Canada/Eastern, Eric Germann wrote:
Anyone want to admit privately (I'll summarize to the list) if they actively filter certain partitions of APNIC space?
We did a little experiment the past couple of days and saw at 85% of our port 13[5-9] scans, Code Red/Nimda/formmail attempts, etc. go out the door by blackholing those networks in .cn and .kr.
Thoughts? Is it a valid thesis? I've seen the discussions for spam mitigation, etc via DNS, but this is actually null routing all their traffic.
Speaking as someone who used to operate networks in New Zealand, please take care not to blame the whole region for troublesome traffic originating from one or two countries. There is nothing people in NZ can do about network abuse in China or Korea. Subject lines that read "Blackholing APNIC Routes" are best avoided, in my opinion, lest they give people ideas. In other news, despite what several large network operators might think, 202/7 is not "CHINANET" :) Joe
On Tue, 5 Nov 2002, Eric Germann wrote: :Anyone want to admit privately (I'll summarize to the list) if they actively :filter certain partitions of APNIC space? I realize that you have asked for private replies, but I think this might be useful to the rest of the list, albeit merely my opinion. While you may see positive results from filtering packets based on geopolitical indicators like .cn and .kr, judging by the kind of attacks this filtering has mitigated for you, there is nothing to indicate that this behaviour is caused by anything meaningfully endemic to these geographic regions. It's obviously going to be a touchy subject. However, it is worth noting that the attacks you are seeing are caused primarily by virus infections of hosts registered to a NIC that happens to serve a massive number of people. My question would be, once %85 of these attacks were stopped by your filters, what was the breakdown of attack sources for the remaining %15, and given that remainder, what percentage of those attacks could be stopped by filtering prefixes registered to a specific NIC? :Thoughts? Is it a valid thesis? I've seen the discussions for spam :mitigation, etc via DNS, but this is actually null routing all their :traffic. It depends on the thesis, as you are obviously seeing results which support the idea that there are a signifigant number of virus infections which originate from a part of the Internet represented by their registration with a particular NIC. What the thesis does not address is whether the number of infections per subnet is higher than in a similar sample size from another region, if such a sample size exists, and whether the common thread of a NIC registration establishes causality strongly enough to warrant taking action against networks based on their NIC. Also, if you were to link the infection rate of hosts with some external indicator like geographic region, or worse, some alleged political or cultural predisposition, it would be a conjecture that could undermine the value of your analysis. So, it's definitely useful to look at, but linking it to external things like geography and politics turns it into a political analysis, which in turn becomes political ammunition. What about mapping it by something more relevant to the structure of the network like say, ASNs? Cheers, -- batz
What about mapping it by something more relevant to the structure of the network like say, ASNs?
And filtering on ASN-basis is straightforward if you have loose RPF deployed. Just filter the inbound announcements from a specific AS and all traffic will be dropped automatically. Pete
participants (5)
-
batz
-
Eric Germann
-
Joe Abley
-
Petri Helenius
-
steve uurtamo