RE: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael Ols son)

TSimons_at_Delphi-Tech.com
Date: 11/11/03

  • Next message: TSimons_at_Delphi-Tech.com: "RE: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael Ols son)"
    To: broyds@rogers.com
    Date: Tue, 11 Nov 2003 11:35:27 -0500
    
    

    Our goal was to cut off access to overseas networks except for our corporate
    web site and email delivery

    ~Todd

    -----Original Message-----
    From: Bill Royds [mailto:broyds@rogers.com]
    Sent: Tuesday, November 11, 2003 11:32 AM
    To: TSimons@Delphi-Tech.com; mikael.olsson@clavister.com;
    gillsr@yahoo.com
    Cc: firewall-wizards@honor.icsalabs.com
    Subject: Re: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael
    Olsson)

    Your list list is blocking a lot of populated legitimate networks. For
    example 81.0.0.0/8 is part of the RIPE network and includes legitimate IP's
    from Spain, Germany and other countries. These are certainly not bogons so
    blocking these actually cuts your connectivity.
       They will have rogue users, but so will 24.0.0.0/8, the cable modem
    networks. Why not cut that off as well?

    ----- Original Message -----
    From: <TSimons@Delphi-Tech.com>
    To: <mikael.olsson@clavister.com>; <gillsr@yahoo.com>
    Cc: <firewall-wizards@honor.icsalabs.com>
    Sent: Monday, November 10, 2003 1:46 PM
    Subject: RE: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael
    Olsson)

    : Just some information/stats from another bogon user. We block Bogons, then
    : rouge/unused ports.
    :
    : In a period of 3 hours, here are the blocked packet counts from our
    routers.
    : Note: we do NOT block access to our corporate web site, nor to our smtp
    : servers which are the only services that we really have available to the
    : public.
    :
    : deny ip 61.0.0.0 0.255.255.255 any (476 matches)
    : deny ip 62.0.0.0 0.255.255.255 any (278 matches)
    : deny ip 80.0.0.0 0.255.255.255 any (250 matches)
    : deny ip 81.0.0.0 0.255.255.255 any (362 matches)
    : deny ip 148.203.0.0 0.0.255.255 any
    : deny ip 148.204.0.0 0.3.255.255 any (2 matches)
    : deny ip 148.208.0.0 0.15.255.255 any
    : deny ip 148.224.0.0 0.15.255.255 any (228 matches)
    : deny ip 148.234.0.0 0.0.255.255 any
    : deny ip 148.240.0.0 0.7.255.255 any (2 matches)
    : deny ip 148.248.0.0 0.1.255.255 any
    : deny ip 148.250.0.0 0.0.255.255 any
    : deny ip 150.0.0.0 0.0.255.255 any
    : deny ip 150.2.0.0 0.1.255.255 any
    : deny ip 150.4.0.0 0.3.255.255 any
    : deny ip 150.8.0.0 0.7.255.255 any
    : deny ip 150.16.0.0 0.15.255.255 any
    : deny ip 150.32.0.0 0.31.255.255 any
    : deny ip 150.64.0.0 0.31.255.255 any
    : deny ip 150.96.0.0 0.3.255.255 any
    : deny ip 150.100.0.0 0.0.255.255 any
    : deny ip 164.0.0.0 0.31.255.255 any
    : deny ip 164.32.0.0 0.7.255.255 any
    : deny ip 164.40.0.0 0.0.255.255 any
    : deny ip 210.0.0.0 0.255.255.255 any (440 matches)
    : deny ip 211.0.0.0 0.255.255.255 any (335 matches)
    : deny ip 217.0.0.0 0.255.255.255 any (638 matches)
    : deny ip 218.0.0.0 0.255.255.255 any (556 matches)
    : deny ip 219.0.0.0 0.255.255.255 any (542 matches)
    : deny ip 220.0.0.0 0.255.255.255 any (424 matches)
    : deny ip 221.0.0.0 0.255.255.255 any (364 matches)
    : deny tcp any any eq 22
    : deny tcp any any eq 57
    : deny tcp any any eq 81
    : deny tcp any any eq sunrpc
    : deny tcp any any eq 135 (6572 matches)
    : deny udp any any eq netbios-ns (72 matches)
    : deny tcp any any eq 445 (200 matches)
    : deny tcp any any eq 1002
    : deny tcp any any eq 1080 (2 matches)
    : deny tcp any any eq 1081
    : deny tcp any any eq 1433
    : deny tcp any any eq 2112
    : deny tcp any any eq 55555
    :
    :
    : -----Original Message-----
    : From: Mikael Olsson [mailto:mikael.olsson@clavister.com]
    : Sent: Sunday, November 09, 2003 1:07 PM
    : To: Stephen Gill
    : Cc: firewall-wizards@honor.icsalabs.com
    : Subject: Re: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael
    : Olsson)
    :
    :
    :
    :
    : Stephen Gill wrote:
    : >
    : > I'd like to point out a few issues with your report as I tend to
    : > disagree with it :).
    :
    : Argumentation good. Shoot.
    :
    :
    : > ] Why Blocking Bogons Buys You Nothing
    : >
    : > This title is misleading. [...]
    : > I think you mean to say: "Why Blocking Inbound Bogons Buys You Very
    Little
    : > on Firewalls"
    : >
    :
    : Indeed. I added the "Inbound" clause to the title of
    : http://www.clueby4.org/pubs/blocking-bogons.txt
    :
    :
    : > Blocking Bogons buys you a LOT, you just don't
    : > get to see the benefits because others are doing it for you.
    :
    : Actually, don't you mean egress spoofing protection here?
    : That's a totally separate issue.
    :
    :
    : > So why are we drawing global conclusions from a _single_ site?
    :
    : Because from what I've seen, that's pretty much what everyone else
    : is doing in when it comes to bogons :)
    :
    : This MAN has about five or six thousand public IPs, spread out over
    : five or six disjoint spans. It's got plenty of people that are likely
    : to attract DDoS attacks (IRC weenies), and indeed, they do happen.
    :
    : It's not the uunet backbone, but, in my opinion, it's representative
    : enough for my target audience.
    :
    :
    : > Many DDOS attacks I see still use random spoofed sources. Most DDOS
    : > attack data points to bogon filtering having a _significant_ impact
    : > on reducing the overall load reached on the target network.
    :
    : 40-50% is not "significant" for a DDoS in my opinion. Especially
    : not if you're doing it on the wrong end of your Internet connection.
    :
    :
    : > ] Blocking the 0/8 network, 127/8 network and 224/3 networks is another
    : > ] thing altogheter; there are firm technical and security reasons for
    : > ] doing that.
    : >
    : > There are other networks that will never be part of the global Internet
    : > routing table, such as but not limited to RFC 1918 space.
    :
    : Yes, but the technical reasons are not the same.
    :
    : - 0.* is good to drop because of dumb software that assumes that if
    : the first byte of the IP address is 0, it's uninitialized or
    : otherwise has a special meaning
    :
    : - 127.* is good because lots of dumb software think that packets
    : sourced from 127.* couldn't have come across the network
    :
    : - 224.* and up is good because you don't want to end up sending responses
    : to multicast addresses that end up getting forwarded to thousands
    : of hosts/routers
    :
    :
    : > [... snip lots of argumentation related to me not putting
    : > "inbound" in the title. It's there now.]
    :
    :
    :
    : --
    : Mikael Olsson, Clavister AB
    : Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    : Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
    : Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
    : _______________________________________________
    : firewall-wizards mailing list
    : firewall-wizards@honor.icsalabs.com
    : http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    : _______________________________________________
    : firewall-wizards mailing list
    : firewall-wizards@honor.icsalabs.com
    : http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: TSimons_at_Delphi-Tech.com: "RE: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael Ols son)"