|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: zotob - blocking tcp/445
On Thu, 18 Aug 2005, Roger Marquis wrote: Establish and document a history that determines peering with that network, or it's providers, presents a significant risk to your network, or that of your customers.My question is not what can we do about bots, we already filter these worst case networks, but what can we do to make it worthwhile for bot-providers like NETNET to police their own networks without involving lawyers? If you've got a view into your traffic that looks like this: (Select source, proto, dstPort, count(destination) from flows where packets < 4 group by source, proto, dstPort order by count descending) Source proto dstPort count 62.149.195.129 6 42 13018 203.69.204.250 6 445 12889 213.123.129.237 1 2048 12693 70.17.255.43 6 443 12685 217.132.56.139 6 4899 11056 209.181.111.12 6 135 8148 221.210.149.97 6 4899 7368 212.24.201.220 6 135 6451 172.131.83.244 6 135 6025 209.188.172.66 6 445 5055 80.177.36.162 6 445 4982 64.121.65.197 6 4899 4262 64.32.117.250 6 135 3954 213.144.99.241 6 445 3493 64.231.44.65 6 135 3157 213.123.129.237 6 139 2988 222.84.236.98 6 1023 2414 222.84.236.98 6 9898 2398 64.228.209.103 6 135 2305 Determining who to consider peering with gets a lot easier. (ASN's left off to annoy the truly curious.) As a provider, we don't want to be filtering heavily, as it invariably leads to making allowances for Customer X. The management overhead, as well as the impact on packet processing, is too great. It's easier for us to be able to monitor and report to our customers what's affecting them, and make sure they have the right tools in place to protect them from these kinds of shenanigans. - billn
|