nanog mailing list archives
Re: BGP hijack from 23724 -> 4134 China?
From: Brielle Bruns <bruns () 2mbit com>
Date: Thu, 08 Apr 2010 20:35:15 -0600
On 4/8/10 8:17 PM, Danny McPherson wrote:
On Apr 8, 2010, at 8:05 PM, Brielle Bruns wrote:Since there's been alot of requests for the ACLs, i've gone ahead and put the info on our wiki for easy access. http://wiki.sosdg.org/sosdg:internal:chinafilter Hope it comes in handy, and please let me know if i'm missing anything.If you're going to post this and folks are actually going to consider employing it I suspect it'd be well worthwhile to include on that page how you generated it and how you keep it updated -- so that it can be updated by others as necessary.
Its sorta a mess to generate that final list.The best way, is to take the County IP Blocks list, use a tool like cidr-convert.c (http://www.spamshield.org/cidr-convert.c) to aggregate blocks.
For Foundry, there's the ability to enter into an input mode for ACLs where you can dump a list of CIDR blocks, and it will handle the conversion into access-list commands.
I grabbed that access-list from the routers directly, so thats why it's been generated already. If there's a tool for UNIX/Linux that can generate the wildcard masks from CIDR in bulk for use in creating ACLs, I'd be happy to put it up on the page.
Additionally, folks should note that this policy would have made zero difference in this particularly incident, most of you likely realize that. Furthermore, a policy such as this does nothing to mitigate exfiltration of data TO those address blocks you've listed.
Of course, this wont fix the prefix leaks. I think everyone here knows that. :)
FWIW, this is a lot like putting a bandaid on a headache - it's not going to do much good in reality, and likely cause more harm than good in properly secured networks - but it might make some folks feel a little better.
More harm then good is a matter of opinion. Denying all of mainland China reduces the amount of attacks on my network. If you consider that masking security problems rather then fixing them, then *shrugs*. Its just one of many layers. It also allows me to make and enforce the statement that I will not tolerate the bullshit China pulls.
-- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
Current thread:
- BGP hijack from 23724 -> 4134 China? Jay Hennigan (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Raymond Dijkxhoorn (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Brielle Bruns (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Jay Hennigan (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Beavis (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Brielle Bruns (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Will Clayton (Apr 08)
- RE: BGP hijack from 23724 -> 4134 China? Aaron Wendel (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Brielle Bruns (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Danny McPherson (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Brielle Bruns (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Danny McPherson (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? James Hess (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? goemon (Apr 08)
- RE: BGP hijack from 23724 -> 4134 China? George Bonser (Apr 09)
- RE: BGP hijack from 23724 -> 4134 China? goemon (Apr 09)
- Re: BGP hijack from 23724 -> 4134 China? Larry Smith (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Michael Holstein (Apr 09)
- Re: BGP hijack from 23724 -> 4134 China? Benjamin BILLON (Apr 09)
- Re: BGP hijack from 23724 -> 4134 China? Jeroen van Aart (Apr 09)
- Re: BGP hijack from 23724 -> 4134 China? Benjamin Billon (Apr 09)