BGP hijack from 23724 -> 4134 China?

• Previous message (by thread): BGP hijack from 23724 -> 4134 China?
• Next message (by thread): BGP hijack from 23724 -> 4134 China?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/8/10 8:17 PM, Danny McPherson wrote:
>
> On Apr 8, 2010, at 8:05 PM, Brielle Bruns wrote:
>>
>> Since there's been alot of requests for the ACLs, i've gone ahead and put the info on our wiki for easy access.
>>
>> http://wiki.sosdg.org/sosdg:internal:chinafilter
>>
>> Hope it comes in handy, and please let me know if i'm missing anything.
>
> If you're going to post this and folks are actually going to consider
> employing it I suspect it'd be well worthwhile to include on that page
> how you generated it and how you keep it updated -- so that it can be
> updated by others as necessary.
>

Its sorta a mess to generate that final list.

The best way, is to take the County IP Blocks list, use a tool like 
cidr-convert.c (http://www.spamshield.org/cidr-convert.c) to aggregate 
blocks.

For Foundry, there's the ability to enter into an input mode for ACLs 
where you can dump a list of CIDR blocks, and it will handle the 
conversion into access-list commands.


I grabbed that access-list from the routers directly, so thats why it's 
been generated already.  If there's a tool for UNIX/Linux that can 
generate the wildcard masks from CIDR in bulk for use in creating ACLs, 
I'd be happy to put it up on the page.


> Additionally, folks should note that this policy would have made zero
> difference in this particularly incident, most of you likely realize that.
> Furthermore, a policy such as this does nothing to mitigate exfiltration
> of data TO those address blocks you've listed.
>

Of course, this wont fix the prefix leaks.  I think everyone here knows 
that.  :)


> FWIW, this is a lot like putting a bandaid on a headache - it's not going
> to do much good in reality, and likely cause more harm than good in properly
> secured networks - but it might make some folks feel a little better.
>

More harm then good is a matter of opinion.  Denying all of mainland 
China reduces the amount of attacks on my network.  If you consider that 
masking security problems rather then fixing them, then *shrugs*.  Its 
just one of many layers.  It also allows me to make and enforce the 
statement that I will not tolerate the bullshit China pulls.



-- 
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org    /     http://www.ahbl.org

• Previous message (by thread): BGP hijack from 23724 -> 4134 China?
• Next message (by thread): BGP hijack from 23724 -> 4134 China?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]