nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

From: Jared Mauch <jared () puck Nether net>
Date: Tue, 21 Jul 2015 07:16:53 -0400

        I'm reminded of the "the russians are hacking our water system"
stories from a few years back, when it turned out the water system
adminstrator was on vacation in russia.

        often traffic comes from unexpected locations.  perhaps you
should fail-closed with good business practices to open things up.
perhaps you fail-open then mitigate risk by using a blocklist.

        my suggestion is that if you didn't live through the days
of the bogon lists, which were later allocated to RIRs, a block
list is likely not the right approach if you truly working on
security posture.

        - Jared

On Mon, Jul 20, 2015 at 09:50:44PM +0100, Colin Johnston wrote:

blocking to mitigate risk is a better trade off gaining better percentage legit traffic against a indventant minor 
valid good network range.


Sent from my iPhone


On 20 Jul 2015, at 21:20, Valdis.Kletnieks () vt edu wrote:

On Mon, 20 Jul 2015 21:12:33 +0100, Colin Johnston said:

source user to use phone contact and or postal service to establish contact


And your phone and postal addresses are listed *where* that Joe Aussie-Sixpack
is likely to be able to find?

(Hint 1: If it's on your website, they can't find it.)

(Hint 2: Mortal users have never heard of WHOIS or similar services)

And what are the chances that after 3-4 days of unreachable, the user will
simply conclude you've gone out of business and you've lost a customer/reader
to a competitor?


-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
Previous By Date Next
Previous By Thread Next

Current thread: