de-peering for security sake

Mike Hammett nanog at ics-il.net
Sat Dec 26 15:30:02 UTC 2015


1) Automation is your friend. 
2) If a host is compromised and doing an SSH scan, it's likely going to also be attempting SMTP, WordPress, home router, etc. attacks. Use a canary to block that host altogether to better your network. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 


----- Original Message -----

From: "Baldur Norddahl" <baldur.norddahl at gmail.com> 
To: nanog at nanog.org 
Sent: Saturday, December 26, 2015 9:19:15 AM 
Subject: Re: de-peering for security sake 

On 26 December 2015 at 16:09, Stephen Satchell <list at satchell.net> wrote: 

> On 12/26/2015 06:19 AM, Mike Hammett wrote: 
> 
>> How much is an acceptable standard to the community? Individual /32s 
>> ( or /64s)? Some tipping point where 50% of a /24 (or whatever it's 
>> IPv6 equivalent would be) has made your naughty list that you block 
>> the whole prefix? 
>> 
> 
> My gauge is volume of obnoxious traffic. When I get lots of SSH probes 
> from a /32, I block the /32. When I get lots of SSH probes across a range 
> of a /24, I block the /24. 
> 


Do you people have nothing better to do than scan firewall log files and 
insert rules to block stuff that was already blocked by default? 

Hint: if ssh probes spams your log then move your ssh service to a non 
standard port. 

Regards, 

Baldur 




More information about the NANOG mailing list