de-peering for security sake

Mike Hammett nanog at
Sat Dec 26 15:30:02 UTC 2015

1) Automation is your friend. 
2) If a host is compromised and doing an SSH scan, it's likely going to also be attempting SMTP, WordPress, home router, etc. attacks. Use a canary to block that host altogether to better your network. 

Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

----- Original Message -----

From: "Baldur Norddahl" <baldur.norddahl at> 
To: nanog at 
Sent: Saturday, December 26, 2015 9:19:15 AM 
Subject: Re: de-peering for security sake 

On 26 December 2015 at 16:09, Stephen Satchell <list at> wrote: 

> On 12/26/2015 06:19 AM, Mike Hammett wrote: 
>> How much is an acceptable standard to the community? Individual /32s 
>> ( or /64s)? Some tipping point where 50% of a /24 (or whatever it's 
>> IPv6 equivalent would be) has made your naughty list that you block 
>> the whole prefix? 
> My gauge is volume of obnoxious traffic. When I get lots of SSH probes 
> from a /32, I block the /32. When I get lots of SSH probes across a range 
> of a /24, I block the /24. 

Do you people have nothing better to do than scan firewall log files and 
insert rules to block stuff that was already blocked by default? 

Hint: if ssh probes spams your log then move your ssh service to a non 
standard port. 



More information about the NANOG mailing list