Open relays and open proxies

jlewis at lewis.org jlewis at lewis.org
Thu Apr 24 21:02:22 UTC 2003


On Thu, 24 Apr 2003, Joe St Sauver wrote:

> The sheer magnitude of the problem also argues against manual construction
> of ACL's on a host-by-host basis; to date, having looked at this issue
> for maybe six months now, I believe the number of *known* open proxies is
> on the order of 120K hosts, few of which are sequentially disposed into
> nice CIDR-able netblocks (unless you're okay with the concept of lumping 

That depends on who's "known" list you're looking at.  I know of
considerably more open proxies, and suspect the actual number of open
proxies on the net today is at least several, if not many, times that 
number.
 
> What's really needed is some way to take open proxy DNSBL data and 
> instantiate a dump of that data onto a suitable appliance. It is probably
> too much state to burden a reasonable sized border route with, but you 
> could imagine other devices that could probably handle it (at least for
> moderate speed flows), much as there are currently middle boxes which
> rip open packets to target peer to peer traffic.

That would be one heck of an ACL or routing table full of null routes.  I 
doubt it can be done in a practical manner.

----------------------------------------------------------------------
 Jon Lewis *jlewis at lewis.org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________




More information about the NANOG mailing list