Open relays and open proxies
Jeff Kell
jeff-kell at utc.edu
Thu Apr 24 20:33:31 UTC 2003
Joe St Sauver wrote:
> What's really needed is some way to take open proxy DNSBL data and
> instantiate a dump of that data onto a suitable appliance. It is probably
> too much state to burden a reasonable sized border route with, but you
> could imagine other devices that could probably handle it (at least for
> moderate speed flows), much as there are currently middle boxes which
> rip open packets to target peer to peer traffic.
Along those lines, I have been running an ACL-based spam blocker at
ingress for a little over six months, but it has really surpassed the
manageable level for many devices. To put this in perspective, we use
a feed from SPEWS level 1 data, current DShield block list, and some
manual black/whitelist data, shove it through a perl script, and
produce a TFTPable config file which is then 'config net'ed into our
edge devices.
The last few days of SPEWS data varies around 14000 lines (mix of CIDR
blocks and individual hosts), currently 2400 lines in our local
additions, yielding a merged ACL (with ingress blocks, bogons, Dshield
blocks, and anti-spam) of ~15800 lines (~603kB). With 'service
compress-config' enabled, this fits into a 3640 and doesn't kill it in
the process (8xT1s). It overflows TCAM on a 6509 and forces process
switching in the ingress direction, but otherwise works (1xGigE, 2x100FE).
On the other hand, NJABL.ORG lists 255K open relays, 170K open proxies,
and a spattering of dialups and other listings. This is way beyond ACLs
that I could even imagine thinking about :-)
Jeff
More information about the NANOG
mailing list