Anyone want to admit privately (I'll summarize to the list) if they actively
filter certain partitions of APNIC space?
We did a little experiment the past couple of days and saw at 85% of our
port 13[5-9] scans, Code Red/Nimda/formmail attempts, etc. go out the door
by blackholing those networks in .cn and .kr.
Thoughts? Is it a valid thesis? I've seen the discussions for spam
mitigation, etc via DNS, but this is actually null routing all their
traffic.
Eric
Speaking as someone who used to operate networks in New Zealand, please take care not to blame the whole region for troublesome traffic originating from one or two countries. There is nothing people in NZ can do about network abuse in China or Korea.
Subject lines that read "Blackholing APNIC Routes" are best avoided, in my opinion, lest they give people ideas. In other news, despite what several large network operators might think, 202/7 is not "CHINANET" 
Joe
:Anyone want to admit privately (I'll summarize to the list) if they actively
:filter certain partitions of APNIC space?
I realize that you have asked for private replies, but I think
this might be useful to the rest of the list, albeit merely my
opinion.
While you may see positive results from filtering packets based
on geopolitical indicators like .cn and .kr, judging by the kind
of attacks this filtering has mitigated for you, there is nothing
to indicate that this behaviour is caused by anything meaningfully
endemic to these geographic regions.
It's obviously going to be a touchy subject. However, it is worth noting
that the attacks you are seeing are caused primarily by virus infections
of hosts registered to a NIC that happens to serve a massive number of
people.
My question would be, once %85 of these attacks were stopped by your
filters, what was the breakdown of attack sources for the remaining %15,
and given that remainder, what percentage of those attacks could be
stopped by filtering prefixes registered to a specific NIC?
:Thoughts? Is it a valid thesis? I've seen the discussions for spam
:mitigation, etc via DNS, but this is actually null routing all their
:traffic.
It depends on the thesis, as you are obviously seeing results which
support the idea that there are a signifigant number of virus infections
which originate from a part of the Internet represented by their registration
with a particular NIC. What the thesis does not address is whether the
number of infections per subnet is higher than in a similar sample size
from another region, if such a sample size exists, and whether the
common thread of a NIC registration establishes causality
strongly enough to warrant taking action against networks based
on their NIC.
Also, if you were to link the infection rate of hosts
with some external indicator like geographic region, or
worse, some alleged political or cultural predisposition,
it would be a conjecture that could undermine the value of
your analysis.
So, it's definitely useful to look at, but linking it to external
things like geography and politics turns it into a political
analysis, which in turn becomes political ammunition.
What about mapping it by something more relevant to the structure
of the network like say, ASNs?
Cheers,
What about mapping it by something more relevant to the structure
of the network like say, ASNs?
now _that_ is a reasonable suggestion. it's not like APNIC manages the
routers or traffic emanating with source-addresses from those prefixes.
ASNs typically do.
s.
What about mapping it by something more relevant to the structure
of the network like say, ASNs?
And filtering on ASN-basis is straightforward if you have loose
RPF deployed. Just filter the inbound announcements from a specific
AS and all traffic will be dropped automatically.
Pete