Where are static bogon filters appropriate? was: 96.2.0.0/16 Bogons

Sean Donelan sean at donelan.com
Fri Mar 9 18:59:22 UTC 2007


On Tue, 6 Mar 2007, Mikael Abrahamsson wrote:
> Customer gets hacked, one of their boxen starts spewing traffic with spoofed 
> addresses. The way I understand your solution is to automatically shut their 
> port and disrupt all their traffic, and have them call customer support to 
> get any further.
>
> Do you really think this is a good solution?
>
> I don't see any customer with a choice continuing having a relationship with 
> me if I treat them like that. It will cost me and them too much.
>
> So instead I just drop their spoofed traffic and if they call and say that 
> their line is slow, I'll just say it's full and they can themselves track 
> down the offending machine and shut it off to solve the problem.

Compromised systems rarely have one thing wrong with them, and delaying
the pain just makes things worse.

Drop spoofed traffic, and they send non-spoofed packets.
Block port 25, and they send slammer on port 1434
Block messenger port 1025, and they send DNS DOS on port 53
Block irc bots port 6667, and they send VOIP spam port 5060
and so on and so on.

<http://www.washingtonpost.com/wp-dyn/content/article/2007/03/08/AR2007030802012.html>
    The fast-spreading virus infected as many as 200 county computers
    Wednesday, and technicians shut down the entire network for Anne
    Arundel offices for more than 24 hours.

http://msmvps.com/blogs/donna/archive/2006/02/12/83332.aspx
    One day last year, things started going haywire at Northwest Hospital
    and Medical Center. Key cards would no longer open the operating-room
    doors; computers in the intensive-care unit shut down; doctors' pagers
    wouldn't work.

    It turns out the Seattle hospital's computers . along with up to 50,000
    others across the country . had been turned into an army of robots
    controlled by 20-year-old

Caused by "known" vulnerabilities with patches available, but the 
customers decided it wasn't "important" enough to take action before
they lost everything.

Is it really customer service to avoid the issue?



More information about the NANOG mailing list