North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Open relays and open proxies

  • From: Jeff Kell
  • Date: Thu Apr 24 16:36:26 2003 
Joe St Sauver wrote:
What's really needed is some way to take open proxy DNSBL data and instantiate a dump of that data onto a suitable appliance. It is probably
too much state to burden a reasonable sized border route with, but you could imagine other devices that could probably handle it (at least for
moderate speed flows), much as there are currently middle boxes which
rip open packets to target peer to peer traffic.
Along those lines, I have been running an ACL-based spam blocker at ingress for a little over six months, but it has really surpassed the manageable level for many devices. To put this in perspective, we use
a feed from SPEWS level 1 data, current DShield block list, and some manual black/whitelist data, shove it through a perl script, and
produce a TFTPable config file which is then 'config net'ed into our edge devices.

The last few days of SPEWS data varies around 14000 lines (mix of CIDR blocks and individual hosts), currently 2400 lines in our local additions, yielding a merged ACL (with ingress blocks, bogons, Dshield blocks, and anti-spam) of ~15800 lines (~603kB). With 'service compress-config' enabled, this fits into a 3640 and doesn't kill it in the process (8xT1s). It overflows TCAM on a 6509 and forces process switching in the ingress direction, but otherwise works (1xGigE, 2x100FE).

On the other hand, NJABL.ORG lists 255K open relays, 170K open proxies, and a spattering of dialups and other listings. This is way beyond ACLs that I could even imagine thinking about :-)

Jeff