zotob - blocking tcp/445
Bill Nash
billn at billn.net
Thu Aug 18 17:08:13 UTC 2005
On Thu, 18 Aug 2005, Roger Marquis wrote:
> My question is not what can we do about bots, we already filter
> these worst case networks, but what can we do to make it worthwhile
> for bot-providers like NETNET to police their own networks without
> involving lawyers?
Establish and document a history that determines peering with that
network, or it's providers, presents a significant risk to your network,
or that of your customers.
If you've got a view into your traffic that looks like this:
(Select source, proto, dstPort, count(destination) from flows where
packets < 4 group by source, proto, dstPort order by count descending)
Source proto dstPort count
62.149.195.129 6 42 13018
203.69.204.250 6 445 12889
213.123.129.237 1 2048 12693
70.17.255.43 6 443 12685
217.132.56.139 6 4899 11056
209.181.111.12 6 135 8148
221.210.149.97 6 4899 7368
212.24.201.220 6 135 6451
172.131.83.244 6 135 6025
209.188.172.66 6 445 5055
80.177.36.162 6 445 4982
64.121.65.197 6 4899 4262
64.32.117.250 6 135 3954
213.144.99.241 6 445 3493
64.231.44.65 6 135 3157
213.123.129.237 6 139 2988
222.84.236.98 6 1023 2414
222.84.236.98 6 9898 2398
64.228.209.103 6 135 2305
Determining who to consider peering with gets a lot easier. (ASN's left
off to annoy the truly curious.)
As a provider, we don't want to be filtering heavily, as it invariably
leads to making allowances for Customer X. The management overhead, as
well as the impact on packet processing, is too great. It's easier for us
to be able to monitor and report to our customers what's affecting them,
and make sure they have the right tools in place to protect them from
these kinds of shenanigans.
- billn
More information about the NANOG
mailing list