BGP hijack from 23724 -> 4134 China?
Brielle Bruns
bruns at 2mbit.com
Fri Apr 9 02:35:15 UTC 2010
On 4/8/10 8:17 PM, Danny McPherson wrote:
>
> On Apr 8, 2010, at 8:05 PM, Brielle Bruns wrote:
>>
>> Since there's been alot of requests for the ACLs, i've gone ahead and put the info on our wiki for easy access.
>>
>> http://wiki.sosdg.org/sosdg:internal:chinafilter
>>
>> Hope it comes in handy, and please let me know if i'm missing anything.
>
> If you're going to post this and folks are actually going to consider
> employing it I suspect it'd be well worthwhile to include on that page
> how you generated it and how you keep it updated -- so that it can be
> updated by others as necessary.
>
Its sorta a mess to generate that final list.
The best way, is to take the County IP Blocks list, use a tool like
cidr-convert.c (http://www.spamshield.org/cidr-convert.c) to aggregate
blocks.
For Foundry, there's the ability to enter into an input mode for ACLs
where you can dump a list of CIDR blocks, and it will handle the
conversion into access-list commands.
I grabbed that access-list from the routers directly, so thats why it's
been generated already. If there's a tool for UNIX/Linux that can
generate the wildcard masks from CIDR in bulk for use in creating ACLs,
I'd be happy to put it up on the page.
> Additionally, folks should note that this policy would have made zero
> difference in this particularly incident, most of you likely realize that.
> Furthermore, a policy such as this does nothing to mitigate exfiltration
> of data TO those address blocks you've listed.
>
Of course, this wont fix the prefix leaks. I think everyone here knows
that. :)
> FWIW, this is a lot like putting a bandaid on a headache - it's not going
> to do much good in reality, and likely cause more harm than good in properly
> secured networks - but it might make some folks feel a little better.
>
More harm then good is a matter of opinion. Denying all of mainland
China reduces the amount of attacks on my network. If you consider that
masking security problems rather then fixing them, then *shrugs*. Its
just one of many layers. It also allows me to make and enforce the
statement that I will not tolerate the bullshit China pulls.
--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org / http://www.ahbl.org
More information about the NANOG
mailing list