[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

de-peering for security sake

Subject: de-peering for security sake
From: jabley at hopcount.ca (Joe Abley)
Date: Sat, 26 Dec 2015 11:14:25 -0500
In-reply-to: <[email protected]>
References: <278703070.5666.1451139598778.JavaMail.mhammett@ThunderFuck> <[email protected]>

On Dec 26, 2015, at 10:09, Stephen Satchell <list at satchell.net> wrote:

> My gauge is volume of obnoxious traffic.  When I get lots of SSH probes from a /32, I block the /32.

... without any knowledge of how many end systems are going to be affected.

A significant campus or provider user base behind a NAT is likely to
have more infections in absolute terms, which means more observed bad
behaviour. It also means more end-systems (again, in absolute terms)
that represent collateral damage.

> When I get lots of SSH probes across a range of a /24, I block the /24.

[...]

> When I see that the bad traffic has caused me to block multiple /24s, I will block the entire allocation.

Your network, your rules. But that's not the way I would manage things
if I thought my job was to optimise and maximise connectivity between
my users and the Internet.

With respect to ssh scans in particular -- disable all forms of
password authentication and insist upon public key authentication
instead. If the password scan log lines still upset you, stop logging
them.

Joe

Follow-Ups:
- de-peering for security sake
  - From: wwaites at tardis.ed.ac.uk (William Waites)
- de-peering for security sake
  - From: owen at delong.com (Owen DeLong)
- de-peering for security sake
  - From: jared at puck.nether.net (Jared Mauch)

References:
- de-peering for security sake
  - From: nanog at ics-il.net (Mike Hammett)
- de-peering for security sake
  - From: list at satchell.net (Stephen Satchell)

Prev by Date: de-peering for security sake
Next by Date: de-peering for security sake
Previous by thread: de-peering for security sake
Next by thread: de-peering for security sake
Index(es):
- Date
- Thread