BGP hijack from 23724 -> 4134 China?

Danny McPherson danny at tcb.net
Thu Apr 8 23:05:23 CDT 2010


On Apr 8, 2010, at 8:35 PM, Brielle Bruns wrote:
> 
> More harm then good is a matter of opinion.  Denying all of mainland China reduces the amount of attacks on my network.  If you consider that masking security problems rather then fixing them, then *shrugs*.  Its just one of many layers.  It also allows me to make and enforce the statement that I will not tolerate the bullshit China pulls.

FWIW, I get it - folks are surely going to implement local security 
policies that are first aligned with corporate [and national] security 
objectives.

My concern is that if people think bogon filters break stuff, just wait
until a couple thousand networks start selectively filtering countries 
based on some notion of geoIP mappings (e.g., CN today, KP and IR 
tomorrow, etc..), when in many cases prefixes span lots of national 
boundaries (as do many ASNs) - the Internet will continue to fragment
and brokenness will result.

As an example of how such network filtering policies might well become 
an operational problem consider a client using Online Certificate Status 
Protocol (OCSP) with X.509 digital certificates before setting up a secure
connection to a web server somewhere in Asia (the server itself may well 
NOT be inside of China).  The client, wanting to inquire as to the state 
(revocation status) of a particular certificate generated by that CNNIC 
CA embedded in their Firefox client, reaches out to an OCSP server that's 
authoritative for the cert - in this case CNNIC.  Unfortunately, CNNIC, 
which primarily resides within 218.241.0.0/16, isn't reachable because 
of this entry in your ACL: 

access-list 199 deny ip 218.240.0.0 0.7.255.255 any

Now, whether you or any of the users on your network choose to leave that 
CNNIC CA (or others) enabled in your client is a separate issue, but 
default drop policies such as you're recommending can certainly result
in some collateral damage that can be very tedious to debug, and possibly
even broaden attack surfaces themselves.

I'm not particularly a fan of bogon filters for reasons outlined here 
and elsewhere many times before - and bogon addresses theoretically 
don't have live clients and servers folks might be legitimately be 
transacting with. 

-danny



More information about the NANOG mailing list