[186633] in North American Network Operators' Group
Re: de-peering for security sake
daemon@ATHENA.MIT.EDU (Joe Abley)
Sat Dec 26 11:14:29 2015
X-Original-To: nanog@nanog.org
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <567EADA8.2090307@satchell.net>
Date: Sat, 26 Dec 2015 11:14:25 -0500
To: Stephen Satchell <list@satchell.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Dec 26, 2015, at 10:09, Stephen Satchell <list@satchell.net> wrote:
> My gauge is volume of obnoxious traffic. When I get lots of SSH probes from a /32, I block the /32.
... without any knowledge of how many end systems are going to be affected.
A significant campus or provider user base behind a NAT is likely to
have more infections in absolute terms, which means more observed bad
behaviour. It also means more end-systems (again, in absolute terms)
that represent collateral damage.
> When I get lots of SSH probes across a range of a /24, I block the /24.
[...]
> When I see that the bad traffic has caused me to block multiple /24s, I will block the entire allocation.
Your network, your rules. But that's not the way I would manage things
if I thought my job was to optimise and maximise connectivity between
my users and the Internet.
With respect to ssh scans in particular -- disable all forms of
password authentication and insist upon public key authentication
instead. If the password scan log lines still upset you, stop logging
them.
Joe
