nanog mailing list archives

Re: Getting hit hard by CHINANET

From: Ca By <cb.list6 () gmail com>
Date: Mon, 23 Mar 2015 06:37:44 -0700

On Monday, March 23, 2015, Ray Soucy <rps () maine edu> wrote:

I did a test on my personal server of filtering every IP network assigned
to China for a few months and over 90% of SSH attempts and other noise just
went away.  It was pretty remarkable.

Working for a public university I can't block China outright, but there are
times it has been tempting. :-)

The majority of DDOS attacks I see are sourced from addresses in the US,
though (likely spoofed).  Just saw a pretty large one last week which was
SSDP 1900 to UDP port 80, 50K+ unique host addresses involved.

Having your upstream apply a permanent udp bw policer, say 5 or 10x busy
hour baseline, works well for this.


On Wed, Mar 18, 2015 at 8:32 AM, Eric Rogers <ecrogers () precisionds com
<javascript:;>>
wrote:

We are using Mikrotik for a BGP blackhole server that collects BOGONs
from CYMRU and we also have our servers (web, email, etc.) use fail2ban
to add a bad IP to the Mikrotik.  We then use BGP on all our core
routers to null route those IPs.

The ban-time is for a few days, and totally dynamic, so it isn't a
permanent ban.  Seems to have cut down on the attempts considerably.

Eric Rogers
PDSConnect
www.pdsconnect.me
(317) 831-3000 x200


-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org <javascript:;>] On Behalf

Of Roland Dobbins

Sent: Wednesday, March 18, 2015 6:04 AM
To: nanog () nanog org <javascript:;>
Subject: Re: Getting hit hard by CHINANET


On 18 Mar 2015, at 17:00, Roland Dobbins wrote:

This is not an optimal approach, and most providers are unlikely to
engage in such behavior due to its potential negative impact (I'm
assuming you mean via S/RTBH and/or flowspec).


Here's one counterexample:

<https://ripe68.ripe.net/presentations/176-RIPE68_JSnijders_DDoS_Damage_
Control.pdf>

-----------------------------------
Roland Dobbins <rdobbins () arbor net <javascript:;>>




--
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network
www.maineren.net

Current thread:

Re: Getting hit hard by CHINANET, (continued)
- - - Re: Getting hit hard by CHINANET Roland Dobbins (Mar 17)
    - Re: Getting hit hard by CHINANET Mark Tinka (Mar 17)
    - Re: Getting hit hard by CHINANET Roland Dobbins (Mar 18)
    - Re: Getting hit hard by CHINANET Colin Johnston (Mar 18)
    - Re: Getting hit hard by CHINANET Roland Dobbins (Mar 18)
    - Re: Getting hit hard by CHINANET Roland Dobbins (Mar 18)
    - Re: Getting hit hard by CHINANET Colin Johnston (Mar 18)
    - RE: Getting hit hard by CHINANET Eric Rogers (Mar 18)
    - Re: Getting hit hard by CHINANET Ray Soucy (Mar 23)
    - Re: Getting hit hard by CHINANET Colin Johnston (Mar 23)
    - Re: Getting hit hard by CHINANET Ca By (Mar 23)
    - Re: Getting hit hard by CHINANET Justin M. Streiner (Mar 23)
    - Re: Getting hit hard by CHINANET Ca By (Mar 23)
    - Re: Getting hit hard by CHINANET Paul S. (Mar 23)
    - Re: Getting hit hard by CHINANET Colin Johnston (Mar 18)
- Re: Getting hit hard by CHINANET Colin Johnston (Mar 17)
  - Re: Getting hit hard by CHINANET Mike Hale (Mar 17)
    - Re: Getting hit hard by CHINANET Roland Dobbins (Mar 18)
- Re: Getting hit hard by CHINANET Robert Kisteleki (Mar 18)
- Re: Getting hit hard by CHINANET Anthony Kosednar (Mar 18)