[172644] in North American Network Operators' Group
RE: Team Cymru / Spamhaus
daemon@ATHENA.MIT.EDU (SysIT)
Fri Jun 27 15:55:10 2014
X-Original-To: nanog@nanog.org
From: SysIT <IT@SysAccess.net>
To: "Darden, Patrick" <Patrick.Darden@p66.com>, Adam Greene
<maillist@webjogger.net>, 'NANOG list' <nanog@nanog.org>
Date: Fri, 27 Jun 2014 19:55:37 +0000
In-Reply-To: <74825E6950ECDE449817715200CEAD2703BA327F6D@BRTEXMB76.phillips66.net>
Errors-To: nanog-bounces@nanog.org
Appreciate the Clarification Darden, I wasn't aware Spamhaus had this other=
division / service, time for some reading.
-----Original Message-----
From: Darden, Patrick [mailto:Patrick.Darden@p66.com]=20
Sent: Friday, June 27, 2014 11:50 AM
To: SysIT; Adam Greene; 'NANOG list'
Subject: RE: Team Cymru / Spamhaus
I feel like you are conflating DOS and DDOS. DOS attacks can be bandwidth =
related, but they can also be malformed packets, injections, etc. ad nauseu=
m. DDOS are almost always, as you say, bandwidth wars.
The Spamhaus BGPF project has nothing to do with Spam--it is an attempt to =
provide filters for botnets and other malware hosts/nets, including DDOS an=
d some DOS attacks. However, it will only work if you use it--with the cha=
nce for false positives implicitly there.
The CYMRU FULLBOGON list won't help with DOS or DDOS--it is simply a list o=
f martians, netbloks, and allocated but unassigned IP space. Well worth us=
ing, and a fabulous resource.
--patrick darden
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of SysIT
Sent: Friday, June 27, 2014 10:23 AM
To: Adam Greene; 'NANOG list'
Subject: [EXTERNAL]RE: Team Cymru / Spamhaus
That wont stop a DoS.
A DoS or DDoS is pure bandwidth wars for the most part, if someone is to Do=
S you, they already have your IP's and urls they need to attack you, thus a=
spam list won't stop an attack.
If you want to minimize actual spam, sure.
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Adam Greene
Sent: Friday, June 27, 2014 9:18 AM
To: 'NANOG list'
Subject: Team Cymru / Spamhaus
Hi all,
=20
We're evaluating whether to add BGP feeds from these two sources in attempt=
to minimize exposure to DoS.
=20
The Team Cymru BOGON list (
http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt or
http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
)
looks promising and common-sense.=20
=20
We already filter RFC1918 inbound at our edge, and are interested to see if=
adding the rest of the blocks will have a significant positive effect.
=20
If it does, we're planning to try the IPv4 FULLBOGON list:
=20
http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
=20
We're a little more leery about trying Spamhaus's BGPf service (DROP, EDROP=
and BCL,=20
=20
http://www.spamhaus.org/bgpf/
)
=20
because we really want to avoid false positives.=20
=20
Just wondering if anyone has any words of caution ("False positives! Avoid =
FULLBOGONS and Spamhaus!"), or words of praise ("Do it all! These services =
are wonderful!") before we take the plunge.
=20
Thanks,
Adam
