Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users

dealing with bogon spam ?

  

 
First page Previous page 1 2 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded


leslie at craigslist

Oct 27, 2009, 4:57 PM

Post #1 of 35 (1452 views)
Permalink
dealing with bogon spam ?
First off, I'm not certain if unallocated space in blocks less than a /8
is properly called bogon, so pardon my terminology if I'm incorrect.

We're seeing a decent chunk of spam coming from an unallocated block of
address space. We use CYMRU's great list of /8 bogon space to prevent
completely off the wall abuse, but the granularity stops at /8's.
Obviously, I've written the originating AS and its single upstream
provider (sadly without any response). I'm not looking for a one time
solution for this issue however -- I'd like to permanently block (and
kick) anyone who's using unallocated space illegitimately.

How have you dealt with this issue? Does anyone publish a more granular
listing of unallocated space? Does arin have this information somewhere
other than just probing any given ip via whois?

Thanks!
Leslie
Craigslist Spam Hater


leslie at craigslist

Oct 27, 2009, 5:10 PM

Post #2 of 35 (1419 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
I failed to mention we're seeing this from an unallocated /20 whose
parent /8 is allocated to ARIN (and is partially in use)

Leslie

Leslie wrote:
> First off, I'm not certain if unallocated space in blocks less than a /8
> is properly called bogon, so pardon my terminology if I'm incorrect.
>
> We're seeing a decent chunk of spam coming from an unallocated block of
> address space. We use CYMRU's great list of /8 bogon space to prevent
> completely off the wall abuse, but the granularity stops at /8's.
> Obviously, I've written the originating AS and its single upstream
> provider (sadly without any response). I'm not looking for a one time
> solution for this issue however -- I'd like to permanently block (and
> kick) anyone who's using unallocated space illegitimately.
>
> How have you dealt with this issue? Does anyone publish a more granular
> listing of unallocated space? Does arin have this information somewhere
> other than just probing any given ip via whois?
>
> Thanks!
> Leslie
> Craigslist Spam Hater


nanog at daork

Oct 27, 2009, 5:13 PM

Post #3 of 35 (1418 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
On 28/10/2009, at 12:57 PM, Leslie wrote:

> First off, I'm not certain if unallocated space in blocks less than
> a /8 is properly called bogon, so pardon my terminology if I'm
> incorrect.
>
> We're seeing a decent chunk of spam coming from an unallocated block
> of address space. We use CYMRU's great list of /8 bogon space to
> prevent completely off the wall abuse, but the granularity stops at /
> 8's. Obviously, I've written the originating AS and its single
> upstream provider (sadly without any response). I'm not looking for
> a one time solution for this issue however -- I'd like to
> permanently block (and kick) anyone who's using unallocated space
> illegitimately.
>
> How have you dealt with this issue? Does anyone publish a more
> granular listing of unallocated space? Does arin have this
> information somewhere other than just probing any given ip via whois?


You *might* be able to get a copy of the whois database as an
optimisation so you don't have to hit their servers all the time -
does that help?
I wouldn't rely on that though, but I don't see any other good options.
Perhaps you can only accept stuff from networks that you first saw an
announcement for greater than 7 days ago, to prevent people popping up
with a network for a day, spamming, and then disappearing? Likely to
get lots of false positives in that though, and as soon as someone
figures out your technique it's not going to work.

Religious war alert: does SIDR solve this? I guess only if you only
accept signed advertisements.. I don't know if that is the intended
default mode or not.. Need to do some reading I guess.

--
Nathan Ward


jay at west

Oct 27, 2009, 5:42 PM

Post #4 of 35 (1417 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
Leslie wrote:
> First off, I'm not certain if unallocated space in blocks less than a /8
> is properly called bogon, so pardon my terminology if I'm incorrect.

Bogon is probably the correct term for any IP space that doesn't belong
on the public Internet because it is reserved, unallocated, etc.

> We're seeing a decent chunk of spam coming from an unallocated block of
> address space. We use CYMRU's great list of /8 bogon space to prevent
> completely off the wall abuse, but the granularity stops at /8's.
> Obviously, I've written the originating AS and its single upstream
> provider (sadly without any response). I'm not looking for a one time
> solution for this issue however -- I'd like to permanently block (and
> kick) anyone who's using unallocated space illegitimately.

Not too permanently, though. That space is likely to become allocated,
and the new legitimate user thereof shouldn't have to beg thousands of
networks to unblock it.
so
> How have you dealt with this issue? Does anyone publish a more granular
> listing of unallocated space? Does arin have this information somewhere
> other than just probing any given ip via whois?

I'm not specifically aware of a more granular listing. It would have to
be dynamic as new allocations occur all the time. The RIRs (ARIN, RIPE,
APNIC, etc.) are the authoritative source for the space allocated to
them, but I don't know if they have a real-time bogon list available.

In addition to the published list, Team Cymru has a BGP feed and other
resources, but I don't know how granular it is with respect to
unallocated space. See here:

http://www.team-cymru.org/Services/Bogons/

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay [at] impulse
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV


ops.lists at gmail

Oct 27, 2009, 5:49 PM

Post #5 of 35 (1418 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
What /20 would this be, and can you blame an out of date whois client
or whois db for it?

If the /20 is being routed, and announced - chances are it IS allocated.

On Wed, Oct 28, 2009 at 5:40 AM, Leslie <leslie [at] craigslist> wrote:
> I failed to mention we're seeing this from an unallocated /20 whose parent
> /8 is allocated to ARIN (and is partially in use)
>
> Leslie


Jon.Kibler at aset

Oct 27, 2009, 5:55 PM

Post #6 of 35 (1418 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Suresh Ramasubramanian wrote:

> If the /20 is being routed, and announced - chances are it IS allocated.

Don't bet on it. This is one of the oldest spammer tricks in the book. I worked
with ISPs as far back as the late 90s trying to track down poachers who
temporarily squat on an unallocated block and announce it to the world.

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-813-2924
s: 843-564-4224
s: JonRKibler
e: Jon.Kibler [at] aset
e: Jon.R.Kibler [at] gmail
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrnlokACgkQUVxQRc85QlOVgwCffnJ4nAYNypXOW4TlgNCO1CFo
IjEAn3UGgf/aIgBAESg9oDzvJoTKvaCk
=fqu/
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.


ops.lists at gmail

Oct 27, 2009, 6:00 PM

Post #7 of 35 (1418 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
Having been postmastering at various places for about a decade, I have
seen that too - yes. But cymru style filtering means its kind of out
of fashion now.

Though - a lot of the cases I've seen have been

1. Out of date whois client and the IP's been allocated after the
whois client came out (with a hardcoded list of unallocated IPs)
2. Whois db is out of date - comparatively rarer but known to occur

Especially if you see a mainstream carrier routing it instead of some
small outfit in Eastern Europe .. chances are its stale db somewhere
rather than totally unallocated block and phantom routing

On Wed, Oct 28, 2009 at 6:25 AM, Jon Kibler <Jon.Kibler [at] aset> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Suresh Ramasubramanian wrote:
>
>> If the /20 is being routed, and announced - chances are it IS allocated.
>
> Don't bet on it. This is one of the oldest spammer tricks in the book. I worked
> with ISPs as far back as the late 90s trying to track down poachers who
> temporarily squat on an unallocated block and announce it to the world.
>


jlewis at lewis

Oct 27, 2009, 6:08 PM

Post #8 of 35 (1421 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
On Tue, 27 Oct 2009, Leslie wrote:

> I failed to mention we're seeing this from an unallocated /20 whose parent /8
> is allocated to ARIN (and is partially in use)

What /20 would that be? If you're sure it's unallocated, and see nothing
but spam from it, block it at your border.

----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


nanog at daork

Oct 27, 2009, 6:16 PM

Post #9 of 35 (1418 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
On 28/10/2009, at 2:00 PM, Suresh Ramasubramanian wrote:

> Having been postmastering at various places for about a decade, I have
> seen that too - yes. But cymru style filtering means its kind of out
> of fashion now.

Sure, if the prefix is within something that cymru call a bogon.

If it's within a current RIR pool, not so much.

--
Nathan Ward


cchurc05 at harris

Oct 27, 2009, 6:20 PM

Post #10 of 35 (1420 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
This is puzzling me. If it's from non-announced space, at some point some router should report no route to it. How is the TCP handshake performed to allow a sync to turn into spam?

Chuck

Chuck Church
Network Planning Engineer, CCIE #8776
Harris Information Technology Services
DOD Programs
1210 N. Parker Rd. | Greenville, SC 29609
Office: 864-335-9473 | Cell: 864-266-3978
--------------------------
Sent using BlackBerry


----- Original Message -----
From: Jon Lewis <jlewis [at] lewis>
To: Leslie <leslie [at] craigslist>
Cc: NANOG <nanog [at] nanog>
Sent: Tue Oct 27 21:08:12 2009
Subject: Re: dealing with bogon spam ?


On Tue, 27 Oct 2009, Leslie wrote:

> I failed to mention we're seeing this from an unallocated /20 whose parent /8
> is allocated to ARIN (and is partially in use)

What /20 would that be? If you're sure it's unallocated, and see nothing
but spam from it, block it at your border.

----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


nanog at daork

Oct 27, 2009, 6:22 PM

Post #11 of 35 (1410 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
On 28/10/2009, at 2:20 PM, Church, Charles wrote:

> This is puzzling me. If it's from non-announced space, at some
> point some router should report no route to it. How is the TCP
> handshake performed to allow a sync to turn into spam?

Unallocated is not the same as unannounced.


jlewis at lewis

Oct 27, 2009, 6:27 PM

Post #12 of 35 (1410 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
Unallocated doesn't mean non-routed. All a spammer needs is a
willing/non-filtering provider doing BGP with them, and they can announce
any space they like, send out some spam, and then pull the announcement.
Next morning, when you see the spam and try to figure out who to send
complaints to, you're either going to complain to the wrong people or find
that whois is of no help.

On Tue, 27 Oct 2009, Church, Charles wrote:

> This is puzzling me. If it's from non-announced space, at some point some router should report no route to it. How is the TCP handshake performed to allow a sync to turn into spam?
>
> Chuck
>
> Chuck Church
> Network Planning Engineer, CCIE #8776
> Harris Information Technology Services
> DOD Programs
> 1210 N. Parker Rd. | Greenville, SC 29609
> Office: 864-335-9473 | Cell: 864-266-3978
> --------------------------
> Sent using BlackBerry
>
>
> ----- Original Message -----
> From: Jon Lewis <jlewis [at] lewis>
> To: Leslie <leslie [at] craigslist>
> Cc: NANOG <nanog [at] nanog>
> Sent: Tue Oct 27 21:08:12 2009
> Subject: Re: dealing with bogon spam ?
>
>
> On Tue, 27 Oct 2009, Leslie wrote:
>
>> I failed to mention we're seeing this from an unallocated /20 whose parent /8
>> is allocated to ARIN (and is partially in use)
>
> What /20 would that be? If you're sure it's unallocated, and see nothing
> but spam from it, block it at your border.
>
> ----------------------------------------------------------------------
> Jon Lewis | I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>
>

----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


ops.lists at gmail

Oct 27, 2009, 6:47 PM

Post #13 of 35 (1408 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
Seen it before - but mostly for malware rather than for spam. And
certainly not long enough / persistent enough for a full fledged spam
campaign (4..5 days rather than a day or two at the most when people
start noticing and dropping the bogus announcement)

On Wed, Oct 28, 2009 at 6:57 AM, Jon Lewis <jlewis [at] lewis> wrote:
> Unallocated doesn't mean non-routed.  All a spammer needs is a
> willing/non-filtering provider doing BGP with them, and they can announce
> any space they like, send out some spam, and then pull the announcement.
> Next morning, when you see the spam and try to figure out who to send
> complaints to, you're either going to complain to the wrong people or find
> that whois is of no help.


leslie at craigslist

Oct 27, 2009, 11:44 PM

Post #14 of 35 (1397 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
Yes, unallocated (at least according to ARIN's whois db) but not
unannounced - obviously our network can get to the space or else I
wouldn't be having a spam problem with them! I'm actually seeing this
/20 as advertised through Savvis from AS40430

It seems to me like the best solution might be a semi-hacky solution of
asking arin (and other IRR's) if i can copy its DB and creating an
internal peer which null routes unallocated blocks (updated nightly?)

Has anyone seen an IRR's DB's not being updated for more than 30 days
after allocations? I always assumed that they are quickly updated.

Thanks again,
Leslie

Jon Lewis wrote:
> Unallocated doesn't mean non-routed. All a spammer needs is a
> willing/non-filtering provider doing BGP with them, and they can
> announce any space they like, send out some spam, and then pull the
> announcement. Next morning, when you see the spam and try to figure out
> who to send complaints to, you're either going to complain to the wrong
> people or find that whois is of no help.
>
> On Tue, 27 Oct 2009, Church, Charles wrote:
>
>> This is puzzling me. If it's from non-announced space, at some point
>> some router should report no route to it. How is the TCP handshake
>> performed to allow a sync to turn into spam?
>>
>> Chuck
>>
>> Chuck Church
>> Network Planning Engineer, CCIE #8776
>> Harris Information Technology Services
>> DOD Programs
>> 1210 N. Parker Rd. | Greenville, SC 29609
>> Office: 864-335-9473 | Cell: 864-266-3978
>> --------------------------
>> Sent using BlackBerry
>>
>>


ops.lists at gmail

Oct 28, 2009, 12:26 AM

Post #15 of 35 (1391 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
Ah, colo4jax I see. Jacksonville, Florida.

68.234.16.0/20 shows up as unallocated but as these guys own the
previous /20 its probably a stale arin db and a brand new allocation

Prefix AS Path
Aggregation Suggestion
68.234.0.0/20 4777 2497 25973 40430
68.234.16.0/20 4608 1221 4637 3561 40430
69.174.96.0/21 4777 2497 25973 40430
173.205.80.0/20 4777 2497 25973 40430
204.237.184.0/21 4777 2497 25973 40430
204.237.192.0/22 4777 2497 25973 40430
208.153.96.0/22 4777 2497 25973 40430
208.169.228.0/22 4777 2497 25973 40430


On Wed, Oct 28, 2009 at 12:14 PM, Leslie <leslie [at] craigslist> wrote:
> Yes, unallocated (at least according to ARIN's whois db) but not unannounced
> - obviously our network can get to the space or else I wouldn't be having a
> spam problem with them!   I'm actually seeing this  /20 as advertised
> through Savvis from AS40430
>
> It seems to me like the best solution might be a semi-hacky solution of
> asking arin (and other IRR's) if i can copy its DB and creating an internal
> peer which null routes unallocated blocks (updated nightly?)
>
> Has anyone seen an IRR's DB's not being updated for more than 30 days after
> allocations?  I always assumed that they are quickly updated.
>
> Thanks again,
> Leslie
>
> Jon Lewis wrote:
>>
>> Unallocated doesn't mean non-routed.  All a spammer needs is a
>> willing/non-filtering provider doing BGP with them, and they can announce
>> any space they like, send out some spam, and then pull the announcement.
>> Next morning, when you see the spam and try to figure out who to send
>> complaints to, you're either going to complain to the wrong people or find
>> that whois is of no help.
>>
>> On Tue, 27 Oct 2009, Church, Charles wrote:
>>
>>> This is puzzling me.  If it's from non-announced space, at some point
>>> some router should report no route to it.  How is the TCP handshake
>>> performed to allow a sync to turn into spam?
>>>
>>> Chuck
>>>
>>> Chuck Church
>>> Network Planning Engineer, CCIE #8776
>>> Harris Information Technology Services
>>> DOD Programs
>>> 1210 N. Parker Rd. | Greenville, SC 29609
>>> Office: 864-335-9473 | Cell: 864-266-3978
>>> --------------------------
>>> Sent using BlackBerry
>>>
>>>
>
>



--
Suresh Ramasubramanian (ops.lists [at] gmail)


jtk at cymru

Oct 28, 2009, 1:27 AM

Post #16 of 35 (1392 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
On Tue, 27 Oct 2009 23:44:40 -0700
Leslie <leslie [at] craigslist> wrote:

> It seems to me like the best solution might be a semi-hacky solution
> of asking arin (and other IRR's) if i can copy its DB and creating an
> internal peer which null routes unallocated blocks (updated nightly?)
>
> Has anyone seen an IRR's DB's not being updated for more than 30 days
> after allocations? I always assumed that they are quickly updated.

Note, ARIN is an RIR, a regional internet registry, which is what I
presume you meant there. Nevertheless, while it might be worth a try
from a research perspective, it may be a bit risky in a production
environment. In addition, someone may announce a more specific so keep
that scenario in mind. The CIDR Report monitors RIR allocation data.
This may be of interest to you:

<http://www.cidr-report.org/bogons/rir-data.html>

You can get access to that allocation data as noted here:

<https://www.arin.net/knowledge/statistics/rir.html>

John


michiel at klaver

Oct 28, 2009, 1:48 AM

Post #17 of 35 (1391 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
I would suggest to report that netblock to SpamHaus to have it included at
their DROP list, and also use that DROP list as extra filter in addition to
your bogon filter setup at your border routers.

The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this
kind of abuse of stolen 'hijacked' netblocks and netblocks controlled
entirely by professional spammers.

http://www.spamhaus.org/drop/


With kind regards,

Michiel Klaver
IT Professional


jeroen at unfix

Oct 28, 2009, 2:36 AM

Post #18 of 35 (1382 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
Leslie wrote:
[..]
> It seems to me like the best solution might be a semi-hacky solution of
> asking arin (and other IRR's) if i can copy its DB and creating an
> internal peer which null routes unallocated blocks (updated nightly?)

What you want to take is:

$rirs = array(
"afrinic" =>
"ftp://ftp.ripe.net/pub/stats/afrinic/delegated-afrinic-latest",
"apnic" =>
"ftp://ftp.ripe.net/pub/stats/apnic/delegated-apnic-latest",
"arin" =>
"ftp://ftp.arin.net/pub/stats/arin/delegated-arin-latest",
"lacnic" =>
"ftp://ftp.ripe.net/pub/stats/lacnic/delegated-lacnic-latest",
"ripe" =>
"ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest",
"brnic" =>
"ftp://ftp.registro.br/pub/stats/delegated-ipv6-nicbr-latest",

//// Avoid broken/slow servers:
//// "afrinic" =>
"ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest",
//// "apnic" =>
"ftp://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest",
//// "lacnic" =>
"ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest",
);


Yes, generally the latter three are broken, but as they are mirrored to
RIPE anyway, you can just pull them off there.

Then you have all IPv4 and IPv6 delegated blocks. If it is not in there,
it is a bogon. Yes, those are updated only once in a day or so, thus if
some one is going to start using the block before it is published in
those files you will get some false-positives, but then ask the question
why they get a block up so quickly and start spamming you in the first
place.....

Those /stats/ dirs contain other useful things btw.

Greets,
Jeroen
Attachments: signature.asc (0.19 KB)


Valdis.Kletnieks at vt

Oct 28, 2009, 4:14 AM

Post #19 of 35 (1380 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
On Tue, 27 Oct 2009 16:57:17 PDT, Leslie said:
> We're seeing a decent chunk of spam coming from an unallocated block of
> address space.

Fear not, this will end when we run out of IPv4 space not too many months
down the road :)

I admit to remaining confused as to why we still keep seeing providers who fail
to do basic due-diligence like BCP38 filtering of packets, or asking a new BGP
peer what they expect to announce and then filter based on that. I mean, come
on guys - sure they may be 6 cents a meg cheaper, but do you really want to buy
connectivity from a provider that can't run their network in a proper fashion?

Don't answer that. ;)


jared at puck

Oct 28, 2009, 4:17 AM

Post #20 of 35 (1380 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
On Oct 28, 2009, at 2:44 AM, Leslie wrote:

> Yes, unallocated (at least according to ARIN's whois db) but not
> unannounced - obviously our network can get to the space or else I
> wouldn't be having a spam problem with them! I'm actually seeing
> this /20 as advertised through Savvis from AS40430
>
> It seems to me like the best solution might be a semi-hacky solution
> of asking arin (and other IRR's) if i can copy its DB and creating
> an internal peer which null routes unallocated blocks (updated
> nightly?)
>
> Has anyone seen an IRR's DB's not being updated for more than 30
> days after allocations? I always assumed that they are quickly
> updated.
>
> Thanks again,
> Leslie

You may want to take a look at what is going on in the SIDR working
group if you want something similar to this.

- Jared


jared at puck

Oct 28, 2009, 4:25 AM

Post #21 of 35 (1380 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
On Oct 28, 2009, at 7:14 AM, Valdis.Kletnieks [at] vt wrote:

> On Tue, 27 Oct 2009 16:57:17 PDT, Leslie said:
>> We're seeing a decent chunk of spam coming from an unallocated
>> block of
>> address space.
>
> Fear not, this will end when we run out of IPv4 space not too many
> months
> down the road :)
>
> I admit to remaining confused as to why we still keep seeing
> providers who fail
> to do basic due-diligence like BCP38 filtering of packets, or asking
> a new BGP
> peer what they expect to announce and then filter based on that. I
> mean, come
> on guys - sure they may be 6 cents a meg cheaper, but do you really
> want to buy
> connectivity from a provider that can't run their network in a
> proper fashion?
>
> Don't answer that. ;)

I can answer the above question regarding BCP38:

Vendor software defects and architecture limitations make it
challenging to deploy a solution whereby BCP38 can be universally
deployed.

Customers that are unwilling to announce all their space also make
uRPF problematic. I'd like to see 'loose-rpf' universally deployed
myself. There is no reason for unrouted space to have packets sourced
from it. This makes up a fair percentage of traffic that root/gtld
nameservers see (based on conversations i've had with operators over
the years).

If you configure CPE devices and don't utilize anti-spoofing
capabilities on the CPE-Lan, please add that to your templates. It is
helpful to the internet as a whole, while you may not personally see
return on your investment, others will.

- Jared


randy at psg

Oct 28, 2009, 6:20 AM

Post #22 of 35 (1376 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
>> It seems to me like the best solution might be a semi-hacky solution of
>> asking arin (and other IRR's) if i can copy its DB and creating an
>> internal peer which null routes unallocated blocks (updated nightly?)
>
> What you want to take is:
>
> $rirs = array(
> "afrinic" =>
> "ftp://ftp.ripe.net/pub/stats/afrinic/delegated-afrinic-latest",
> "apnic" =>
> "ftp://ftp.ripe.net/pub/stats/apnic/delegated-apnic-latest",
> "arin" =>
> "ftp://ftp.arin.net/pub/stats/arin/delegated-arin-latest",
> "lacnic" =>
> "ftp://ftp.ripe.net/pub/stats/lacnic/delegated-lacnic-latest",
> "ripe" =>
> "ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest",
> "brnic" =>
> "ftp://ftp.registro.br/pub/stats/delegated-ipv6-nicbr-latest",
>
> //// Avoid broken/slow servers:
> //// "afrinic" =>
> "ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest",
> //// "apnic" =>
> "ftp://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest",
> //// "lacnic" =>
> "ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest",
> );

this is brilliant. maybe we should form an org to do this and
distribute via bgp? shall we have a contest for the name of the org?
my bid is cymru

randy


jeroen at unfix

Oct 28, 2009, 6:52 AM

Post #23 of 35 (1387 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
Randy Bush wrote:
>>> It seems to me like the best solution might be a semi-hacky solution of
>>> asking arin (and other IRR's) if i can copy its DB and creating an
>>> internal peer which null routes unallocated blocks (updated nightly?)
>> What you want to take is:
>>
>> $rirs = array(
>> "afrinic" =>
>> "ftp://ftp.ripe.net/pub/stats/afrinic/delegated-afrinic-latest",
[..]
> this is brilliant. maybe we should form an org to do this and
> distribute via bgp? shall we have a contest for the name of the org?
> my bid is cymru

Who have it already indeed for a long long time and have a proven track
record.

I noted the above for the people who want to get their own copy from the
IRRs, like what was asked above. For instance for the few who want to
build their own setups, want to integrate it in their own systems etc.

Greets,
Jeroen
Attachments: signature.asc (0.19 KB)


nanog at daork

Oct 28, 2009, 7:24 AM

Post #24 of 35 (1375 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
On 29/10/2009, at 2:52 AM, Jeroen Massar wrote:

> Randy Bush wrote:
>>>> It seems to me like the best solution might be a semi-hacky
>>>> solution of
>>>> asking arin (and other IRR's) if i can copy its DB and creating an
>>>> internal peer which null routes unallocated blocks (updated
>>>> nightly?)
>>> What you want to take is:
>>>
>>> $rirs = array(
>>> "afrinic" =>
>>> "ftp://ftp.ripe.net/pub/stats/afrinic/delegated-afrinic-latest",
> [..]
>> this is brilliant. maybe we should form an org to do this and
>> distribute via bgp? shall we have a contest for the name of the org?
>> my bid is cymru
>
> Who have it already indeed for a long long time and have a proven
> track
> record.
>
> I noted the above for the people who want to get their own copy from
> the
> IRRs, like what was asked above. For instance for the few who want to
> build their own setups, want to integrate it in their own systems etc.

I can't see anything on their site that provides a BGP feed of
prefixes allocated by RIRs, which I think is what we're talking about
here.

--
Nathan Ward


jtk at cymru

Oct 28, 2009, 7:58 AM

Post #25 of 35 (1376 views)
Permalink
Re: dealing with bogon spam ? [In reply to]
On Thu, 29 Oct 2009 03:24:17 +1300
Nathan Ward <nanog [at] daork> wrote:

> I can't see anything on their site that provides a BGP feed of
> prefixes allocated by RIRs, which I think is what we're talking
> about here.

We currently provide A BGP bogon route server feed for the asking,
which are routes of 'well known' aggregate prefixes published by IANA as
well as special and reserved netblocks documented by a IETF that should
not be seen on the public net.

Providing a feed of allocations would be the opposite approach of
course.

I suppose if there is interest and a need we could do this. Shoot
myself or the team (info [at] cymru) a note off list if you have
thoughts on the matter or simply want to provide some feedback into
such a service and how it might best be used. We're always on the look
out for things we can do to help.

John

First page Previous page 1 2 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.