[179000] in North American Network Operators' Group
Re: Getting hit hard by CHINANET
daemon@ATHENA.MIT.EDU (Ray Soucy)
Mon Mar 23 09:06:25 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <C820E8FCB95D264B9F200903B532BD240230A103@equinox.precisionds.com>
Date: Mon, 23 Mar 2015 09:06:22 -0400
From: Ray Soucy <rps@maine.edu>
To: Eric Rogers <ecrogers@precisionds.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I did a test on my personal server of filtering every IP network assigned
to China for a few months and over 90% of SSH attempts and other noise just
went away. It was pretty remarkable.
Working for a public university I can't block China outright, but there are
times it has been tempting. :-)
The majority of DDOS attacks I see are sourced from addresses in the US,
though (likely spoofed). Just saw a pretty large one last week which was
SSDP 1900 to UDP port 80, 50K+ unique host addresses involved.
On Wed, Mar 18, 2015 at 8:32 AM, Eric Rogers <ecrogers@precisionds.com>
wrote:
> We are using Mikrotik for a BGP blackhole server that collects BOGONs
> from CYMRU and we also have our servers (web, email, etc.) use fail2ban
> to add a bad IP to the Mikrotik. We then use BGP on all our core
> routers to null route those IPs.
>
> The ban-time is for a few days, and totally dynamic, so it isn't a
> permanent ban. Seems to have cut down on the attempts considerably.
>
> Eric Rogers
> PDSConnect
> www.pdsconnect.me
> (317) 831-3000 x200
>
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Roland Dobbins
> Sent: Wednesday, March 18, 2015 6:04 AM
> To: nanog@nanog.org
> Subject: Re: Getting hit hard by CHINANET
>
>
> On 18 Mar 2015, at 17:00, Roland Dobbins wrote:
>
> > This is not an optimal approach, and most providers are unlikely to
> > engage in such behavior due to its potential negative impact (I'm
> > assuming you mean via S/RTBH and/or flowspec).
>
> Here's one counterexample:
>
> <https://ripe68.ripe.net/presentations/176-RIPE68_JSnijders_DDoS_Damage_
> Control.pdf>
>
> -----------------------------------
> Roland Dobbins <rdobbins@arbor.net>
>
--
Ray Patrick Soucy
Network Engineer
University of Maine System
T: 207-561-3526
F: 207-561-3531
MaineREN, Maine's Research and Education Network
www.maineren.net
