de-peering for security sake

Stephen Satchell list at satchell.net
Sat Dec 26 15:09:28 UTC 2015 

On 12/26/2015 06:19 AM, Mike Hammett wrote:
> How much is an acceptable standard to the community? Individual /32s
> ( or /64s)? Some tipping point where 50% of a /24 (or whatever it's
> IPv6 equivalent would be) has made your naughty list that you block
> the whole prefix?

My gauge is volume of obnoxious traffic.  When I get lots of SSH probes 
from a /32, I block the /32.  When I get lots of SSH probes across a 
range of a /24, I block the /24.

When I see that the bad traffic has caused me to block multiple /24s, I 
will block the entire allocation.

By "lots" I mean hundreds or more.  When the criminals try to bust my 
door down, I take stops to stop them.

Ditto with attempts to relay mail through my mail servers.

My goal isn't to reduce traffic.  My goal is to stop irresponsible 
people from finding a rat-hole to do things I don't authorize them to 
do.  Defense in depth.

This is in addition to selecting the TCP and UDP ports carefully that I 
expose to the outside world.  Indeed, I have separate ACLs for inbound, 
outbound, and DMZ ports.  So, I've limited service from the inside to 
the outside to this:

> #       ---originated by LAN host to Internet
> FORWARD_TCP="ftp ssh snmp telnet smtp smtps submission domain http https ntp nicname rwhois pop3 pop3s imap imaps radius"
> FORWARD_TCP="$FORWARD_TCP 465 8008 webcache 8443 8888 snpp rsync"
> #           xmpp-client
> FORWARD_TCP="$FORWARD_TCP 5222 5223 8002"
> #           Microsoft Notification Protocol (msnp) [Messenger]
> FORWARD_TCP="$FORWARD_TCP 1863"
> #           Microsoft PPTP
> FORWARD_TCP="$FORWARD_TCP 1723"
> #           Timbuktu client, Service Ports 1-4
> FORWARD_TCP="$FORWARD_TCP 407 1417:1420"
> #           memoq
> FORWARD_TCP="$FORWARD_TCP 2705"
> #
> FORWARD_UDP="domain ntp snmp 407 443 500 1419 1701 1812 4500 snmp 3389 10000 55555 "

Your client base and my client base differ.  I make NNAP difficult to 
use against the world from my people.  But I don't hamstring them; if 
they want access to an outside service, they have but to ask.

I also terminate spammers.

More information about the NANOG mailing list