de-peering for security sake

Matthew Petach mpetach at netflight.com
Sat Dec 26 20:50:27 UTC 2015


On Sat, Dec 26, 2015 at 12:34 PM, Owen DeLong <owen at delong.com> wrote:
>> On Dec 26, 2015, at 08:14 , Joe Abley <jabley at hopcount.ca> wrote:
>> On Dec 26, 2015, at 10:09, Stephen Satchell <list at satchell.net> wrote
>>> My gauge is volume of obnoxious traffic.  When I get lots of SSH probes from a /32, I block the /32.
[...]
>> With respect to ssh scans in particular -- disable all forms of
>> password authentication and insist upon public key authentication
>> instead. If the password scan log lines still upset you, stop logging
>> them.
>
> This isn’t a bad idea, per se, but it’s not always possible for the guy running the server
> to dictate usage to the people using the accounts.
>
> Also, note that the only difference between a good long passphrase and a private key is,
> uh, wait, um, come to think of it, really not much.
>
> The primary difference is that nobody expects to have to remember a private key so we don’t
> get fussed when they contain lots of entropy. Users aren’t good at choosing good long secure
> passphrases and the automated mechanisms that attempt to enforce strong passwords just
> serve to increase user confusion and actually reduce the entropy in passwords overall.


No, the difference is that a passphrase works
in conjunction with the private key, which is
the "something you have" vs the "something
you know" in two-factor authentication.

With password authentication, there's only a
single solution space for the attacker to
sift through; with private key authentication,
unless you're sloppy about securing your
private key, there's two massive solution spaces
for the attacker to sift through to find the unique
point of intersection.

Massively different solution space volumes
to deal with.  Equating the two only has meaning
in cosmological contexts.

> Owen
>

Matt



More information about the NANOG mailing list