de-peering for security sake

Stephen Satchell list at satchell.net
Fri Dec 25 15:35:00 UTC 2015


On 12/25/2015 06:18 AM, Mike Hammett wrote:
> To the thread, not necessarily Daniel, if blocking
> countries\continents is a bad thing (not saying I disagree), how do
> you deal with the flood of trash? Just take it on the chin?
>
> The degree of splash damage by blocking this way will vary based
> uponwhat kind of network you are. Residential eyeballs? You could
> probably block most of a lot of things and people wouldn't notice
> or care, as long as it wasn't Google, Facebook, Netflix, etc.

In my networks, different users have different requirements.  So I have 
to be careful in my ACLs to allow what they need, while reducing access 
by those who view the Internet as a sewer, and not as a privilege. (Used 
to be a BOFH in the NSF days.)

So my blocking list has grown, as I have identified bad actors from the 
information in my logs.  Keeping in mind that people with one bad habit 
will most likely have other bad habits as well, I keep it simple: if you 
don't play nice, you are blocked at the demarc.

For of the majority of my users, I provide access behind a router with 
the block list shown below.  For those customers who want an unblocked 
feed, I provide that by having the edge bypass the filtering router. (No 
one has asked yet for custom filters -- 1841s are cheap and easy, and 
don't take much power.)

I don't intend to provide this list for others to use.  I provide this 
list as an example of how I exercise my right of Internet Freedom of 
Assocation, and keep my own network safe from intruders.  Abuse reports? 
  I've given up on them, frankly.  My logs don't include enough 
information for some admins, so they drop my reports without further 
comment.  When there is an admin listed.

The nice thing about IPTABLES is that I can pull a report, if I want to, 
of which of these blocks are still generating traffic.  As we go farther 
down the IPv4-split road, I may just set up a database of the blocks, 
and monitor the traffic to see which ones have gone silent and thus can 
be removed.  Or not -- that's a lot of work and time, both of which I 
can direct to activities that bring in revenue.

> 1.93.34.222/32		china ssh abuser 	2014 August
> 5.79.75.0/24		netherlands	spam	2015 January
> 8.27.235.155		Microsoft		2015 September
> 14.139.172.0/24		india ssh abuser	2015 April
> 23.19.26.250		ubiquityservers.com ssh	2015 January
> 23.90.39.0/24		eonix.net 	spam	2014 October
> 23.90.51.0/24		eonix.net 	spam	2014 October
> 23.227.196.0/24		Swiftway.com 	spammer	2014 October
> 23.228.74.0/24		globalfrag.com	spam	2015 January
> 23.228.78.0/24		Blanckeart (NY) spam	2014 September
> 23.228.96.0/24		globalfrag.com	spam	2015 January
> 23.228.103.0/24		spam			2015 April
> 23.229.2.0/24		servermania.com	spam	2015 January
> 23.229.97.0/24		servermania.com	spam	2015 January
> 23.247.12.0/24		globalfrag.com	spam	2015 January
> 23.254.59.0/24		spam			2015 April
> 31.184.194.114		russia		ssh	2015 January
> 36.72.228.0/24		India ssh abuser	2014 October
> 38.113.188.0/24		cogent.net	spam	2015 January
> 41.186.0.0/16		Rwanda		ssh	2015 May
> 43.229.52.0/24		unknown		ssh	2015 May
> 43.229.53.0/24		unknown		ssh	2015 September
> 43.255.189.0/24		unknown         ssh	2015 June
> 46.166.136.0/24		spam			2015 April
> 46.166.189.0/24		spam			2015 April
> 50.2.0.0/15		eonix.net spam		2014 October
> 50.7.38.0/24		fdcservers.net	spam	2015 January
> 50.162.224.109		comcast.net	ssh	2015 January
> 52.28.227.79		amazonaws	ssh	2015 September
> 58.208.0.0/12 		china ssh abuser	2015 May
> 58.217.106.0/24		china ssh		2014 November
> 58.218.166.241/24	china ssh abuser	2015 April
> 58.218.204.241/24	china ssh abuser	2015 April
> 60.173.8.0/24		china shellshock	2014 September
> 60.173.9.0/24		china shellshock	2014 September
> 60.173.10.0/24		china shellshock	2014 September
> 60.173.11.0/24		china shellshock	2014 September
> 60.173.14.0/24		china shellshock	2014 September
> 60.173.26.0/24		china shellshock	2014 September
> 60.174.233.0/24		china shellshock	2014 September
> 60.184.82.0/24		china spam		2014 October
> 61.153.105.0/24		china ssh abuser	2014 August
> 61.153.110.0/24		china ssh abuser 	2014 August
> 61.174.49.0/24		china smtp abuser 	2014 August
> 61.174.50.0/24		china ssh abuser 	2014 August
> 61.174.51.0/24		china ssh abuser 	2014 August
> 61.168.229.114/24	china ssh abuser	2015 February
> 62.210.78.0/24		french ssh abuser	2014 October
> 63.223.110.0/24		sentris.com spam	2014 October
> 64.4.54.253		Microsoft		2015 September
> 64.16.210.0/23		sagonet.com	spam	2015 January
> 66.37.4.0/24		omnis.com mail		2014 October
> 66.70.34.113		superfish		2015 May
> 66.148.122.0/24		superb.net	spam	2015 January
> 66.55.93.168/29		gigenet.com spam	2014 October
> 68.233.128.0/20		yesmail.com spam	2014 October
> 69.58.3.0/24		spam			2015 April
> 69.60.127.172		slantcoil.info 		2014 August
> 69.65.41.30/32		online market media 	2014 August
> 69.65.46.56/29		online market media 	2014 August
> 69.65.53.0/24		Hd-gaming.com	spam	2015 January
> 69.168.184.210		xplornet.com	ssh	2015 January
> 70.39.86.0/24		spam			2015 April
> 70.39.122.0/24		sharktech.net	spam	2015 January
> 71.245.177.204		Verizon		ssh	2015 July
> 74.208.0.0/16		1on1 mail abuse		2014 October
> 75.99.22.136/29		NY ssh abuse 		2014 August
> 75.140.42.118		china nmap 		2014 August
> 76.191.64.0/18		vanoppen.biz spam	2014 October
> 76.191.112.0/22		sentris.com spam	2014 October
> 78.129.180.0/24		rapidswitch.com	spam	2015 January
> 78.138.127.0/24		poland	spam		2015 January
> 79.142.65.0/24		Netherlands spam	2014 October
> 80.82.66.0/24		netherlands	spam	2015 January
> 80.82.70.0/24		Spybot proxy abuse 	2014 August
> 80.82.79.0/24		Spybot proxy abuse 	2014 August
> 80.242.123.0/24		Boznia ssh abuse	2015 May
> 82.102.176.0/21		ssh abuse		2015 June
> 83.234.174.0/24		Charger		ssh	2015 September
> 86.34.224.0/24		Romania spam		2014 October
> 89.248.172.0/24		Netherlands shellshock	2014 September
> 93.174.89.0/24		netherlands	spam	2015 January
> 95.211.155.0/24 	Netherlands spammer	2014 October
> 95.211.158.0/24		leaseweb.com spam	2014 October
> 95.211.197.0/24		leaseweb.com spam	2014 October
> 103.6.151.0/24		Signapore	ssh	2015 September
> 103.41.124.0/24		Hong Kong ssh abuser	2015 March
> 103.252.99.0/24		relay.pttag.com spam	2014 October
> 104.36.86.0/24		servercrate.com	spam	2015 January
> 104.140.56.0/24		spam			2015 April
> 104.148.71.0/24		domain phising spam	2015 May
> 106.4.0.0/14		china spammer		2014 October
> 107.158.0.0/16		eonix.net spam		2014 October
> 107.182.141.0/24	cloudshards.com	spam	2015 January
> 108.168.211.0/24	softlayer.com spam	2014 October
> 109.63.0.0/16		WiMax core ssh abuser	2015 May
> 109.161.128.0/18	WiMax ssh abuser	2015 May
> 109.161.192.0/18	WiMax ssh abuser	2015 May
> 109.169.75.64/24	belfast ssh abuser	2015 February
> 110.76.47.0/24		china ssh abuser	2014 October
> 111.1.46.125/24		china ssh abuser	2015 April
> 111.74.238.0/24		china ssh abuser	2014 October
> 111.192.0.0/12		china ssh abuser	2015 June
> 112.93.254.128/29	china smtp abuser 	2014 August
> 113.106.63.0/24		china ssh abyser	2014 September
> 113.163.32.0/19		vietnam ssh abuser	2015 December
> 113.171.10.0/24		vietnam ssh abuser 	2014 August
> 115.153.142.0/23	china spammer		2014 October
> 115.239.228.14/24	china ssh abuser	2015 February
> 115.239.248.0/24	china ssh abuset	2014 October
> 116.10.191.0/24		china ssh abuser 	2014 August
> 117.21.173.0/24		china		ssh	2015 January
> 117.21.191.0/24		china ssh abuser	2014 October
> 117.27.158.0/24		china ssh abuser	2014 October
> 117.224.0.0/16		WiMax ssh abuser	2015 May
> 117.235.194.0/24	india spammer		2014 October
> 117.244.0.0/16		WiMax ssh abuser	2015 May
> 117.245.0.0/18		WiMax ssh abuser	2015 September
> 117.245.64.0/19		WiMax ssh abuser	2015 September
> 117.253.0.0/16		WiMax ssh abuser	2015 May
> 117.255.208.0/20	WiMax ssh abuser	2015 May
> 117.255.224.0/19	WiMax ssh abuser	2015 May
> 118.123.166.0/24	china ssh abuser	2015 April
> 121.12.109.0/24		china	mail-relay	2015 January
> 122.224.32.0/24		china ssh abuser	2014 October
> 122.225.97.64/26	china ssh abuser	2014 October
> 122.225.103.0/24	china ssh abuser	2014 December
> 122.225.109.0/24	china ssh abuser	2014 August
> 122.226.102.0/23	china ssh abuser	2014 October
> 122.231.69.0/24		china spammer		2014 October
> 123.157.150.0/24	china ssh abuser	2014 October
> 123.242.229.75/24	hong kong ssh abuser	2015 February
> 124.35.69.0/24		Japan		ssh	2015 January
> 134.19.180.0/24		netherlands	spam	2015 January
> 144.0.0.0/24		china ssh abuser	2014 August
> 153.120.25.0/24		japan ssh abuser	2014 September
> 162.217.99.0/24		Internap spam		2014 October
> 162.219.27.0/24		alnitech.com spammer	2014 October
> 162.221.201.0/24	esecuredata spammer	2014 October
> 162.246.57.0/24		spam			2015 April
> 162.246.58.0/24		spam			2015 April
> 162.250.120.0/21	spam			2015 June
> 162.251.160.0/24	1gservers.com		2014 October
> 171.111.153.0/24	china ShellShock	2014 October
> 173.44.157.0/24		serverhub.com 	spam	2015 January
> 173.22.177.0/24		spam			2015 April
> 173.44.253.0/24		spam			2015 April
> 173.45.90.0/24		ee.net spammers		2014 October
> 173.213.70.224/27	falldare.net 		2014 August
> 173.213.94.0/24		spam			2015 April
> 173.213.100.0/24	eonix.net	spam	2015 January
> 173.213.103.224/27	slantcoil.info 		2014 August
> 173.224.121.0/24	spam			2015 April
> 173.224.123.0/24	dedicatedserver4u spam	2014 October
> 173.224.126.0/24	dedicatedserver4u spam	2014 October
> 173.232.112.0/24	learn2speak.info	2014 October
> 173.232.249.0/24	eonix.net	spam	2015 January
> 173.244.147.0/24	spam			2015 April
> 175.101.0.0/16		excellmedia.net india 	2014 August
> 176.51.227.0/24		russian spam		2014 October
> 177.54.144.57		eonix.net	ssh	2015 January
> 178.251.230.0/24	spam			2015 April
> 183.57.57.0/24		china SSH abuser	2014 October
> 185.42.240.32/24	ssh			2015 April
> 183.82.10/24		India SSH abuser	2014 October
> 184.170.244.0/24	coloat.com 		2014 October
> 185.44.107.0/24		spam			2015 April
> 186.216.247.0/24	Brazil          ssh     2015 September
> 186.216.249.0/24	Brazil          ssh     2015 September
> 186.216.250.0/24	Brazil          ssh     2015 September
> 186.216.251.0/24	Brazil          ssh     2015 September
> 188.40.248.0/24		German spammer		2014 October
> 188.234.136.0/22	Russia		ssh	2015 September
> 193.107.16.0/24		Seychelles ssh abuser	2014 August
> 192.3.108.0/24		colocrossing.com spam	2014 October
> 193.104.41.53/24	modolvia ssh abuse	2015 April
> 198.89.90.0/24		spam			2015 April
> 199.34.124.0/24		baremetalcloud.com spam	2014 October
> 199.115.228.0/22	VolumeDrive spam	2014 October
> 199.182.161.0/24	serverel.net		2014 October
> 199.189.115.71/24	Antigua and Barbuda SSH 2015 February
> 199.202.216.0/24	spam			2015 April
> 200.30.170.0		Nicaragua	SSH	2015 January
> 200.162.4.0/26		Brazil spam (exe)	2014 October
> 202.85.213.203/24	China ssh abuser	2015 February
> 202.137.9.53/24		link.net.id	ssh	2015 January
> 202.137.225.0/24	ssh			2015 April
> 202.109.143.0/24	china ssh abuser	2014 October
> 202.146.220.0/24	hong kong domain phish	2015 May
> 204.45.208.0/24		fdcservers.net	spam	2015 January
> 206.222.18.0/24		ee.net	spam	2015 January
> 208.94.21.0/24		E-dialog.com	spam	2015 January
> 208.94.244.144/28	joedatacenter.com spam	2014 October
> 209.95.38.0/24		mpcustomer.com spam	2014 October
> 209.95.40.0/24		spam			2015 April
> 209.160.24.0/24		hopone.net	spam	2015 January
> 210.32.200.0/21		China ssh		2015 December
> 210.211.118.0/24	Vietnam ssh abuse	2015 December
> 213.163.66.0/24		netherlands	spam	2015 January
> 211.143.243.0/24	china ssh abuser	2014 August
> 213.163.66.0/24		netherlands	spam	2015 January
> 213.163.72.0/24		i3d.net spammer		2014 October
> 216.77.79.0/24		china nmap 		2014 August
> 216.99.158.150/24	psychz.net ssh abuse	2015 March
> 218.2.0.0/16		china ssh abuser	2014 October
> 218.3.0.0/16		china ssh abuser	2015 December
> 218.4.0.0/16		china ssh abuser	2015 December
> 218.64.0.0/16		china ssh abuser	2015 July
> 218.65.0.0/17		china ssh abuser	2015 July
> 218.199.144.0/24	china ssh abuser	2015 November
> 219.138.135.0/24	china ssh abuser 	2014 August
> 219.141.254.244/24	china ssh abusert	2015 April
> 220.163.0.0/16		china domain phishing	2015 May
> 220.164.0.0/16		china domain phishing	2015 May
> 220.165.0.0/16		china domain phishing	2015 May
> 220.177.198.0/24	china ssh abuser	2014 October
> 220.184.0.0/16		china ssh abuser	2015 May
> 220.185.0.0/16		china ssh abuser	2015 May
> 220.186.0.0/16		china ssh abuser	2015 May
> 220.187.0.0/16		china ssh abuser	2015 May
> 220.188.0.0/16		china ssh abuser	2015 May
> 220.189.0.0/16		china ssh abuser	2015 May
> 220.190.0.0/16		china ssh abuser	2015 May
> 220.191.0.0/16		china ssh abuser	2015 May
> 221.194.47.0/24		china ssh abuser	2014 October
> 221.224.0.0/13		china ssh abuser	2015 May
> 221.229.160.223/24	china ssh abuser	2015 April
> 221.229.160.241/24	china ssh abuser	2015 April
> 221.235.188.0/24	china ssh abuser	2014 November
> 222.34.30.0/24		china shellshock	2014 November
> 222.163.192.0/24	china ssh abuser 	2014 August (2014 Sep)
> 222.184.0.0/13		china ssh abuser	2015 May
> 223.73.110.0/24		china		spam	2015 January




More information about the NANOG mailing list