dealing with bogon spam ?

Jeroen Massar jeroen at unfix.org
Wed Oct 28 09:36:46 UTC 2009


Leslie wrote:
[..]
> It seems to me like the best solution might be a semi-hacky solution of
> asking arin (and other IRR's) if i can copy its DB and creating an
> internal peer which null routes unallocated blocks (updated nightly?)

What you want to take is:

$rirs = array(
                "afrinic"       =>
"ftp://ftp.ripe.net/pub/stats/afrinic/delegated-afrinic-latest",
                "apnic"         =>
"ftp://ftp.ripe.net/pub/stats/apnic/delegated-apnic-latest",
                "arin"          =>
"ftp://ftp.arin.net/pub/stats/arin/delegated-arin-latest",
                "lacnic"        =>
"ftp://ftp.ripe.net/pub/stats/lacnic/delegated-lacnic-latest",
                "ripe"          =>
"ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest",
                "brnic"         =>
"ftp://ftp.registro.br/pub/stats/delegated-ipv6-nicbr-latest",

//// Avoid broken/slow servers:
////            "afrinic"       =>
"ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest",
////            "apnic"         =>
"ftp://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest",
////            "lacnic"        =>
"ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest",
);


Yes, generally the latter three are broken, but as they are mirrored to
RIPE anyway, you can just pull them off there.

Then you have all IPv4 and IPv6 delegated blocks. If it is not in there,
it is a bogon. Yes, those are updated only once in a day or so, thus if
some one is going to start using the block before it is published in
those files you will get some false-positives, but then ask the question
why they get a block up so quickly and start spamming you in the first
place.....

Those /stats/ dirs contain other useful things btw.

Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20091028/f294a0ad/attachment.sig>


More information about the NANOG mailing list