[186637] in North American Network Operators' Group
Re: de-peering for security sake
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sat Dec 26 15:35:18 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <-1680641458761921693@unknownmsgid>
Date: Sat, 26 Dec 2015 12:34:11 -0800
To: Joe Abley <jabley@hopcount.ca>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Dec 26, 2015, at 08:14 , Joe Abley <jabley@hopcount.ca> wrote:
>=20
> On Dec 26, 2015, at 10:09, Stephen Satchell <list@satchell.net> wrote:
>=20
>> My gauge is volume of obnoxious traffic. When I get lots of SSH =
probes from a /32, I block the /32.
>=20
> ... without any knowledge of how many end systems are going to be =
affected.
>=20
> A significant campus or provider user base behind a NAT is likely to
> have more infections in absolute terms, which means more observed bad
> behaviour. It also means more end-systems (again, in absolute terms)
> that represent collateral damage.
Living with IPv4 sucks. It=E2=80=99s only going to get worse. This not =
news.
There are no good IPv4 answers.
>=20
>> When I get lots of SSH probes across a range of a /24, I block the =
/24.
>=20
> [...]
>=20
>> When I see that the bad traffic has caused me to block multiple /24s, =
I will block the entire allocation.
>=20
> Your network, your rules. But that's not the way I would manage things
> if I thought my job was to optimise and maximise connectivity between
> my users and the Internet.
So what is your approach?
> With respect to ssh scans in particular -- disable all forms of
> password authentication and insist upon public key authentication
> instead. If the password scan log lines still upset you, stop logging
> them.
This isn=E2=80=99t a bad idea, per se, but it=E2=80=99s not always =
possible for the guy running the server
to dictate usage to the people using the accounts.
Also, note that the only difference between a good long passphrase and a =
private key is,
uh, wait, um, come to think of it, really not much.
The primary difference is that nobody expects to have to remember a =
private key so we don=E2=80=99t
get fussed when they contain lots of entropy. Users aren=E2=80=99t good =
at choosing good long secure
passphrases and the automated mechanisms that attempt to enforce strong =
passwords just
serve to increase user confusion and actually reduce the entropy in =
passwords overall.
Owen
