de-peering for security sake

Joe Abley jabley at
Sat Dec 26 16:14:25 UTC 2015

On Dec 26, 2015, at 10:09, Stephen Satchell <list at> wrote:

> My gauge is volume of obnoxious traffic.  When I get lots of SSH probes from a /32, I block the /32.

... without any knowledge of how many end systems are going to be affected.

A significant campus or provider user base behind a NAT is likely to
have more infections in absolute terms, which means more observed bad
behaviour. It also means more end-systems (again, in absolute terms)
that represent collateral damage.

> When I get lots of SSH probes across a range of a /24, I block the /24.


> When I see that the bad traffic has caused me to block multiple /24s, I will block the entire allocation.

Your network, your rules. But that's not the way I would manage things
if I thought my job was to optimise and maximise connectivity between
my users and the Internet.

With respect to ssh scans in particular -- disable all forms of
password authentication and insist upon public key authentication
instead. If the password scan log lines still upset you, stop logging


More information about the NANOG mailing list