de-peering for security sake
Mike Hammett
nanog at ics-il.net
Sat Dec 26 15:30:02 UTC 2015
1) Automation is your friend.
2) If a host is compromised and doing an SSH scan, it's likely going to also be attempting SMTP, WordPress, home router, etc. attacks. Use a canary to block that host altogether to better your network.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest Internet Exchange
http://www.midwest-ix.com
----- Original Message -----
From: "Baldur Norddahl" <baldur.norddahl at gmail.com>
To: nanog at nanog.org
Sent: Saturday, December 26, 2015 9:19:15 AM
Subject: Re: de-peering for security sake
On 26 December 2015 at 16:09, Stephen Satchell <list at satchell.net> wrote:
> On 12/26/2015 06:19 AM, Mike Hammett wrote:
>
>> How much is an acceptable standard to the community? Individual /32s
>> ( or /64s)? Some tipping point where 50% of a /24 (or whatever it's
>> IPv6 equivalent would be) has made your naughty list that you block
>> the whole prefix?
>>
>
> My gauge is volume of obnoxious traffic. When I get lots of SSH probes
> from a /32, I block the /32. When I get lots of SSH probes across a range
> of a /24, I block the /24.
>
Do you people have nothing better to do than scan firewall log files and
insert rules to block stuff that was already blocked by default?
Hint: if ssh probes spams your log then move your ssh service to a non
standard port.
Regards,
Baldur
More information about the NANOG
mailing list