On Jan 11, 2015, at 15:28 , Colin Johnston <col...@gt86car.org.uk> wrote: > > unfortunately chinanet antispam/abuse email box is always full, after a while > people block . > always check arin/ripe for known good provider blocks and actively exclude > from rules
They aren't the only ones who never reply to abuse@. > ddos protection via careful overview ips rules and active web source ip > monitoring works well, the hard part is daily rule updates and blocks until > you know most traffic is genuine. No one is advocating "never block anything". However, automatic blocking based on a single DNS packet to a non-DNS server is .. let's call it counterproductive. Good hygiene is necessary both on outgoing packets and on blocking. Checking ARIN/RIPE (not APNIC, LACNIC, AFRINIC?) is not even the bare minimum you should be doing. -- TTFN, patrick >> On 11 Jan 2015, at 19:42, "Patrick W. Gilmore" <patr...@ianai.net> wrote: >> >> I do love solutions which open larger attack surfaces than they are supposed >> to close. In the US, we call that "a cure worse than the disease". >> >> Send packet from random bot with source of Google, Comcast, Akamai, etc. to >> Mr. Hammett's not-DNS / honeypot / whatever, and watch him close himself off >> from the world. >> >> VoilĂ ! Denial of service accomplished without all the hassle of sending 100s >> of Gbps of traffic. >> >> Best part is he was willing to explain this to 10,000+ of his not-so-closest >> friends, in a search-engine-indexed manner. >> >> -- >> TTFN, >> patrick >> >>> On Jan 11, 2015, at 14:34 , Phil Bedard <bedard.p...@gmail.com> wrote: >>> >>> Many attacks can use spoofed source IPs, so who are you really blocking? >>> >>> That's why BCP38 as mentioned many times already is a necessary tool in >>> fighting the attacks overall. >>> >>> Phil >>> >>> >>> >>> >>>> On 1/11/15, 4:33 PM, "Mike Hammett" <na...@ics-il.net> wrote: >>>> >>>> I didn't necessarily think I was shattering minds with my ideas. >>>> >>>> I don't have the time to read a dozen presentations. >>>> >>>> Blackhole them and move on. I don't care whose feelings I hurt. This >>>> isn't kindergarten. Maybe "you" should have tried a little harder to not >>>> get a virus in the first place. Quit clicking on male enhancement ads or >>>> update your OS occasionally. I'm not going to spend a bunch of time and >>>> money to make sure someone's bubble of bliss doesn't get popped. Swift, >>>> effective, cheap. Besides, you're only cut off for 30 days. If in 30 days >>>> you can prove yourself to be responsible, we can try this again. Well, >>>> that or a sufficient support request. >>>> >>>> Besides, if enough people did hat, the list of blackholes wouldn't be >>>> huge as someone upstream already blocked them. >>>> >>>> >>>> >>>> >>>> ----- >>>> Mike Hammett >>>> Intelligent Computing Solutions >>>> http://www.ics-il.com >>>> >>>> >>>> >>>> ----- Original Message ----- >>>> >>>> From: "Roland Dobbins" <rdobb...@arbor.net> >>>> To: nanog@nanog.org >>>> Sent: Sunday, January 11, 2015 9:29:33 AM >>>> Subject: Re: DDOS solution recommendation >>>> >>>> >>>>> On 11 Jan 2015, at 22:21, Mike Hammett wrote: >>>>> >>>>> I'm not saying what you're doing is wrong, I'm saying whatever the >>>>> industry as a whole is doing obviously isn't working and perhaps a >>>>> different approach is required. >>>> >>>> You haven't recommended anything new, and you really need to do some >>>> reading in order to understand why it isn't as simple as you seem to >>>> think it is. >>>> >>>>> Security teams? My network has me, myself and I. >>>> >>>> And a relatively small network, too. >>>> >>>>> If for example ChinaNet's abuse department isn't doing anything about >>>>> complains, eventually their whole network gets blocked a /32 at a >>>>> time. *shrugs* Their loss. >>>> >>>> Again, it isn't that simple. >>>> >>>> ----------------------------------- >>>> Roland Dobbins <rdobb...@arbor.net> >>
