Re: Open relays and open proxies

[Jeff Kell <jeff-kell () utc edu>]

Joe St Sauver wrote:

> What's really needed is some way to take open proxy DNSBL data and 
> instantiate a dump of that data onto a suitable appliance. It is probably
> too much state to burden a reasonable sized border route with, but you 
> could imagine other devices that could probably handle it (at least for
> moderate speed flows), much as there are currently middle boxes which
> rip open packets to target peer to peer traffic.

Along those lines, I have been running an ACL-based spam blocker at 
ingress for a little over six months, but it has really surpassed the 
manageable level for many devices.  To put this in perspective, we use
a feed from SPEWS level 1 data, current DShield block list, and some 
manual black/whitelist data, shove it through a perl script, and
produce a TFTPable config file which is then 'config net'ed into our 
edge devices.

The last few days of SPEWS data varies around 14000 lines (mix of CIDR 
blocks and individual hosts), currently 2400 lines in our local 
additions, yielding a merged ACL (with ingress blocks, bogons, Dshield 
blocks, and anti-spam) of ~15800 lines (~603kB).  With 'service 
compress-config' enabled, this fits into a 3640 and doesn't kill it in 
the process (8xT1s).  It overflows TCAM on a 6509 and forces process 
switching in the ingress direction, but otherwise works (1xGigE, 2x100FE).

On the other hand, NJABL.ORG lists 255K open relays, 170K open proxies, 
and a spattering of dialups and other listings.  This is way beyond ACLs 
that I could even imagine thinking about :-)

Jeff