nanog mailing list archives
Re: Obsolete bogon filtering
From: Mark Newton <newton () internode com au>
Date: Sun, 13 Mar 2005 14:03:46 +1030
On Sat, Mar 12, 2005 at 04:56:09PM -0500, Joe Provo wrote:
If you run any bogon filtering, can you please check your border ACLs and BGP prefix filters to ensure that you're no longer preventing access to 58.0.0.0/8 or 59.0.0.0/8 ?[snip] It is useful to point out that APNIC indicates the minalloc in 59/8 is /20 and 58/8 is /21. I see several prefixes 'in the wild' which are longer, so where you think you might be seeing old bogon filters you are potentially seeing registry minalloc filters.
No, we're announcing 59.167.0.0/17 -- Well shorter than the minalloc restriction. We're not dealing with peole who are trying to "enforce" registry allocation guidelines here (note: that's allocation guidelines, not BGP announcement guidelines). We're just dealing with people who are potentially too clueless to breathe, who haven't updated their filters for nearly a year. Speaking of "too clueless to breathe": DShield.org On Wednesday I emailed them to tell them that one of their customers had informed me that they had 58/8 and 59/8 in the blacklists they publish on their website. Somewhere along the line whoever read that email had a small neural collapse immediately afterwards, and imagined that what I had actually said was, "I am a responsible person in charge of 58/8 and 59/8, and you may begin sending IDS logs and exploit reports direct to me for action." Since then I've received about 250 such email messages, and every single one of them pertains to networks which have absolutely nothing to do with me. I emailed them on Thursday and Friday to tell them about their mistake, but they've (thus far) ignored those messages, and I have had no further (non-automated) contact from them. Words fail me. Today it got worse: Apparently they share their database with "netvigator.com", who send out automated "you're hosting an open relay" email messages; So now I'm getting security alerts from two completely different organizations all telling me that IP addresses belonging to a bunch of Asian ISPs I've never heard of are attacking IP addresses belonging to a bunch of American ISPs I've never heard of. As me whether or not I could care less. Go on, ask me. I dare you. Needless to say my spam filter has been receiving some remedial retraining over the last couple of days, and now understands exactly how to deal with anything from netvigator.com and dsheild.org. It's things like this that really point out that most of the Internet is under the custodianship of total amateurs. It's really disappointing to see the level of abject cluelessness I've found surrounding this topic; There are *SO MANY* people out there who have read in a book somewhere that they should be blocking a few things, so they've just blocked 'em without any further thought. Even some Serious Blue-Chip Multinationals appear to have professional Network Security divisions who really should know better, but don't. It's a real eye-opener. - mark -- Mark Newton Email: newton () internode com au (W) Network Engineer Email: newton () atdot dotat org (H) Internode Systems Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
Current thread:
- Re: Obsolete bogon filtering, (continued)
- Re: Obsolete bogon filtering Mark Newton (Mar 09)
- Re: Obsolete bogon filtering Rob Thomas (Mar 10)
- Re: Obsolete bogon filtering Simon Lyall (Mar 10)
- Re: Obsolete bogon filtering Mike Leber (Mar 10)
- Re: Obsolete bogon filtering Christopher L. Morrow (Mar 10)
- Re: Obsolete bogon filtering Michael . Dillon (Mar 11)
- Re: Obsolete bogon filtering Jay R. Ashworth (Mar 12)
- Re: Obsolete bogon filtering Janet Sullivan (Mar 12)
- Re: Obsolete bogon filtering Simon Lyall (Mar 10)
- Re: Obsolete bogon filtering Jon Lewis (Mar 11)
- Re: Obsolete bogon filtering Mark Newton (Mar 12)