Re: BGP hijack from 23724 -> 4134 China?

Thu, 08 Apr 2010 19:36:12 -0700 

On 4/8/10 8:17 PM, Danny McPherson wrote:


On Apr 8, 2010, at 8:05 PM, Brielle Bruns wrote:


Since there's been alot of requests for the ACLs, i've gone ahead and put the 
info on our wiki for easy access.

http://wiki.sosdg.org/sosdg:internal:chinafilter

Hope it comes in handy, and please let me know if i'm missing anything.


If you're going to post this and folks are actually going to consider
employing it I suspect it'd be well worthwhile to include on that page
how you generated it and how you keep it updated -- so that it can be
updated by others as necessary.



Its sorta a mess to generate that final list.


The best way, is to take the County IP Blocks list, use a tool like 
cidr-convert.c (http://www.spamshield.org/cidr-convert.c) to aggregate 
blocks.



For Foundry, there's the ability to enter into an input mode for ACLs 
where you can dump a list of CIDR blocks, and it will handle the 
conversion into access-list commands.




I grabbed that access-list from the routers directly, so thats why it's 
been generated already.  If there's a tool for UNIX/Linux that can 
generate the wildcard masks from CIDR in bulk for use in creating ACLs, 
I'd be happy to put it up on the page.




Additionally, folks should note that this policy would have made zero
difference in this particularly incident, most of you likely realize that.
Furthermore, a policy such as this does nothing to mitigate exfiltration
of data TO those address blocks you've listed.




Of course, this wont fix the prefix leaks.  I think everyone here knows 
that.  :)




FWIW, this is a lot like putting a bandaid on a headache - it's not going
to do much good in reality, and likely cause more harm than good in properly
secured networks - but it might make some folks feel a little better.




More harm then good is a matter of opinion.  Denying all of mainland 
China reduces the amount of attacks on my network.  If you consider that 
masking security problems rather then fixing them, then *shrugs*.  Its 
just one of many layers.  It also allows me to make and enforce the 
statement that I will not tolerate the bullshit China pulls.




--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org    /     http://www.ahbl.org























					Reply via email to