Getting hit hard by CHINANET
Ca By
cb.list6 at gmail.com
Mon Mar 23 13:37:44 UTC 2015
On Monday, March 23, 2015, Ray Soucy <rps at maine.edu> wrote:
> I did a test on my personal server of filtering every IP network assigned
> to China for a few months and over 90% of SSH attempts and other noise just
> went away. It was pretty remarkable.
>
> Working for a public university I can't block China outright, but there are
> times it has been tempting. :-)
>
> The majority of DDOS attacks I see are sourced from addresses in the US,
> though (likely spoofed). Just saw a pretty large one last week which was
> SSDP 1900 to UDP port 80, 50K+ unique host addresses involved.
>
>
Having your upstream apply a permanent udp bw policer, say 5 or 10x busy
hour baseline, works well for this.
>
> On Wed, Mar 18, 2015 at 8:32 AM, Eric Rogers <ecrogers at precisionds.com
> <javascript:;>>
> wrote:
>
> > We are using Mikrotik for a BGP blackhole server that collects BOGONs
> > from CYMRU and we also have our servers (web, email, etc.) use fail2ban
> > to add a bad IP to the Mikrotik. We then use BGP on all our core
> > routers to null route those IPs.
> >
> > The ban-time is for a few days, and totally dynamic, so it isn't a
> > permanent ban. Seems to have cut down on the attempts considerably.
> >
> > Eric Rogers
> > PDSConnect
> > www.pdsconnect.me
> > (317) 831-3000 x200
> >
> >
> > -----Original Message-----
> > From: NANOG [mailto:nanog-bounces at nanog.org <javascript:;>] On Behalf
> Of Roland Dobbins
> > Sent: Wednesday, March 18, 2015 6:04 AM
> > To: nanog at nanog.org <javascript:;>
> > Subject: Re: Getting hit hard by CHINANET
> >
> >
> > On 18 Mar 2015, at 17:00, Roland Dobbins wrote:
> >
> > > This is not an optimal approach, and most providers are unlikely to
> > > engage in such behavior due to its potential negative impact (I'm
> > > assuming you mean via S/RTBH and/or flowspec).
> >
> > Here's one counterexample:
> >
> > <https://ripe68.ripe.net/presentations/176-RIPE68_JSnijders_DDoS_Damage_
> > Control.pdf>
> >
> > -----------------------------------
> > Roland Dobbins <rdobbins at arbor.net <javascript:;>>
> >
>
>
>
> --
> Ray Patrick Soucy
> Network Engineer
> University of Maine System
>
> T: 207-561-3526
> F: 207-561-3531
>
> MaineREN, Maine's Research and Education Network
> www.maineren.net
>
More information about the NANOG
mailing list