Blackholing APNIC Routes (or a subset of)

batz batsy at
Tue Nov 5 21:02:02 UTC 2002

On Tue, 5 Nov 2002, Eric Germann wrote:

:Anyone want to admit privately (I'll summarize to the list) if they actively
:filter certain partitions of APNIC space?

I realize that you have asked for private replies, but I think 
this might be useful to the rest of the list, albeit merely my 

While you may see positive results from filtering packets based 
on geopolitical indicators like .cn and .kr, judging by the kind
of attacks this filtering has mitigated for you, there is nothing 
to indicate that this behaviour is caused by anything meaningfully 
endemic to these geographic regions.  

It's obviously going to be a touchy subject. However, it is worth noting
that the attacks you are seeing are caused primarily by virus infections
of hosts registered to a NIC that happens to serve a massive number of 

My question would be, once %85 of these attacks were stopped by your
filters, what was the breakdown of attack sources for the remaining %15, 
and given that remainder, what percentage of those attacks could be 
stopped by filtering prefixes registered to a specific NIC?  

:Thoughts?  Is it a valid thesis?  I've seen the discussions for spam
:mitigation, etc via DNS, but this is actually null routing all their

It depends on the thesis, as you are obviously seeing results which 
support the idea that there are a signifigant number of virus infections
which originate from a part of the Internet represented by their registration
with a particular NIC. What the thesis does not address is whether the 
number of infections per subnet is higher than in a similar sample size 
from another region, if such a sample size exists, and whether the 
common thread of a NIC registration establishes causality 
strongly enough to warrant taking action against networks based 
on their NIC.  

Also, if you were to link the infection rate of hosts
with some external indicator like geographic region, or 
worse, some alleged political or cultural predisposition, 
it would be a conjecture that could undermine the value of
your analysis. 

So, it's definitely useful to look at, but linking it to external
things like geography and politics turns it into a political 
analysis, which in turn becomes political ammunition. 

What about mapping it by something more relevant to the structure
of the network like say, ASNs? 



More information about the NANOG mailing list