Re: de-peering for security sake

2015-12-26 Thread Joe Abley
On Dec 26, 2015, at 10:09, Stephen Satchell wrote: > My gauge is volume of obnoxious traffic. When I get lots of SSH probes from > a /32, I block the /32. ... without any knowledge of how many end systems are going to be affected. A significant campus or provider user base

Re: de-peering for security sake

2015-12-26 Thread Owen DeLong
I think as granular as practicable. In some cases, that will be a /32 or /128. In some cases, that will be a /24 or /64. In some cases, it may be an entire ASN. Each network will need to decide for themselves based on the constraints of the time they have to address the issue, the level of

Re: IPv4 shutdown in mobile

2015-12-26 Thread Mikael Abrahamsson
On Sat, 26 Dec 2015, Mark Tinka wrote: One network in southern Africa have upgraded 70% of their network to 4G as part of an enhancement exercise in the last 16x months, and provide 98% 3G coverage across their country of operation. But not a peep re: IPv6. Out of the 34 major mobile

Re: de-peering for security sake

2015-12-26 Thread William Waites
On Sat, 26 Dec 2015 11:14:25 -0500, Joe Abley said: >> My gauge is volume of obnoxious traffic. When I get lots of >> SSH probes from a /32, I block the /32. > ... without any knowledge of how many end systems are going to > be affected. A significant

Re: IPv4 shutdown in mobile

2015-12-26 Thread Mark Tinka
On 26/Dec/15 09:38, Mikael Abrahamsson wrote: > > > I guess there are major differences across the continent as to what > network gear is used, but I know some operators who shipped their 10 > year old 2G basestations to African providers, and if these are still > in use, potentially even

Re: de-peering for security sake

2015-12-26 Thread Owen DeLong
> On Dec 26, 2015, at 08:14 , Joe Abley wrote: > > On Dec 26, 2015, at 10:09, Stephen Satchell wrote: > >> My gauge is volume of obnoxious traffic. When I get lots of SSH probes from >> a /32, I block the /32. > > ... without any knowledge of how many

Re: de-peering for security sake

2015-12-26 Thread Matthew Petach
On Sat, Dec 26, 2015 at 12:34 PM, Owen DeLong wrote: >> On Dec 26, 2015, at 08:14 , Joe Abley wrote: >> On Dec 26, 2015, at 10:09, Stephen Satchell wrote >>> My gauge is volume of obnoxious traffic. When I get lots of SSH probes >>> from

Re: de-peering for security sake

2015-12-26 Thread Baldur Norddahl
On 26 December 2015 at 16:09, Stephen Satchell wrote: > On 12/26/2015 06:19 AM, Mike Hammett wrote: > >> How much is an acceptable standard to the community? Individual /32s >> ( or /64s)? Some tipping point where 50% of a /24 (or whatever it's >> IPv6 equivalent would be) has

Re: announcement of freerouter

2015-12-26 Thread Alan Buxey
>RouterOS is an existing product by MikroTik Yes but this was an announcement about freerouter. If RouterOS has an announcement to make they can send their own email ;) alan

Re: de-peering for security sake

2015-12-26 Thread Mike Hammett
1) Automation is your friend. 2) If a host is compromised and doing an SSH scan, it's likely going to also be attempting SMTP, WordPress, home router, etc. attacks. Use a canary to block that host altogether to better your network. - Mike Hammett Intelligent Computing Solutions

Re: IPv4 shutdown in mobile

2015-12-26 Thread Mikael Abrahamsson
On Sat, 26 Dec 2015, Mark Tinka wrote: None of the major mobile carriers in eastern, western, central and southern Africa have done anything IPv6-related on their network that I am aware about. The availability of IPv4 space in the AFRINIC region, coupled with the ease of spending millions on

Re: announcement of freerouter

2015-12-26 Thread mate csaba
>RouterOS is an existing product by MikroTik Yes but this was an announcement about freerouter. If RouterOS has an announcement to make they can send their own email ;) since then i got it and corrected my page... cs

Re: de-peering for security sake

2015-12-26 Thread Mike Hammett
How much is an acceptable standard to the community? Individual /32s ( or /64s)? Some tipping point where 50% of a /24 (or whatever it's IPv6 equivalent would be) has made your naughty list that you block the whole prefix? - Mike Hammett Intelligent Computing Solutions

Re: de-peering for security sake

2015-12-26 Thread Stephen Satchell
On 12/26/2015 06:19 AM, Mike Hammett wrote: How much is an acceptable standard to the community? Individual /32s ( or /64s)? Some tipping point where 50% of a /24 (or whatever it's IPv6 equivalent would be) has made your naughty list that you block the whole prefix? My gauge is volume of

Re: de-peering for security sake

2015-12-26 Thread Jared Mauch
> On Dec 25, 2015, at 3:10 PM, Colin Johnston wrote: > > why do the chinese network folks never reply and action abuse reports, normal > slow speed network abuse is tolerated, but not high speed deliberate abuse > albeit compromised machines Biggest reason I’ve seen is

Re: de-peering for security sake

2015-12-26 Thread Jared Mauch
> On Dec 26, 2015, at 11:14 AM, Joe Abley wrote: > > With respect to ssh scans in particular -- disable all forms of > password authentication and insist upon public key authentication > instead. If the password scan log lines still upset you, stop logging > them. Or if you

Re: de-peering for security sake

2015-12-26 Thread Mike Hammett
Different network types will have different abilities to enforce this. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Original Message - From: "Jared Mauch" To: "Joe

Re: de-peering for security sake

2015-12-26 Thread Owen DeLong
> On Dec 26, 2015, at 12:50 , Matthew Petach wrote: > > On Sat, Dec 26, 2015 at 12:34 PM, Owen DeLong > wrote: >>> On Dec 26, 2015, at 08:14 , Joe Abley wrote: >>> On Dec 26, 2015, at 10:09, Stephen Satchell

Re: de-peering for security sake

2015-12-26 Thread Valdis . Kletnieks
On Sat, 26 Dec 2015 15:11:13 -0800, Owen DeLong said: > Or contexts where the user is sloppy about securing their private key, e.g. > the real world. I seem to remember that enough people stashed their entire home directory to github, including their keys, that github had to put in special hacks

Re: de-peering for security sake

2015-12-26 Thread Owen DeLong
> On Dec 26, 2015, at 15:54 , Baldur Norddahl wrote: > > On 27 December 2015 at 00:11, Owen DeLong wrote: > >> No… You are missing the point. Guessing a private key is roughly >> equivalent to guessing a really long >> pass phrase. There is no way

Re: de-peering for security sake

2015-12-26 Thread Valdis . Kletnieks
On Sat, 26 Dec 2015 12:50:27 -0800, Matthew Petach said: > No, the difference is that a passphrase works > in conjunction with the private key, which is > the "something you have" vs the "something > you know" in two-factor authentication. > > With password authentication, there's only a > single

Re: de-peering for security sake

2015-12-26 Thread Baldur Norddahl
On 27 December 2015 at 00:11, Owen DeLong wrote: > No… You are missing the point. Guessing a private key is roughly > equivalent to guessing a really long > pass phrase. There is no way that the server side can enforce password > protection of the private key > on the client

Re: de-peering for security sake

2015-12-26 Thread Baldur Norddahl
Owen you misunderstood what two factor is about. It is not practical to brute force the key file. Nor is it practical to brute force a good passphrase or password. Both have sufficient strength to withstand attack. But two factor is about having two things that needs to be broken. The key can be

Re: de-peering for security sake

2015-12-26 Thread Damian Menscher via NANOG
On Sat, Dec 26, 2015 at 10:06 PM, Matthew Petach wrote: > Thanks for the reminder to look at it from multiple perspectives. > The key attribute missing from the discussion so far is that the factors be *different*, from the set of: - something you know (password / PIN)

Re: de-peering for security sake

2015-12-26 Thread Colin Johnston
interesting:) but useful to make a attempt at cleaning up traffic from china and russia colin Sent from my iPhone > On 27 Dec 2015, at 06:32, Hugo Slabbert wrote: > >> On Fri 2015-Dec-25 08:55:24 +0530, Suresh Ramasubramanian >> wrote: >> >> Hmm, has

Re: de-peering for security sake

2015-12-26 Thread Matthew Petach
On Sat, Dec 26, 2015 at 6:37 PM, Owen DeLong wrote: >> On Dec 26, 2015, at 15:54 , Baldur Norddahl >> wrote: >> [...] >> The key approach is still better. Even if the password is 123456 the >> attacker is not going to get in, unless he somehow stole

Re: de-peering for security sake

2015-12-26 Thread Hugo Slabbert
On Fri 2015-Dec-25 08:55:24 +0530, Suresh Ramasubramanian wrote: Hmm, has anyone at all kept count of the number of times such a discussion has started up in just the last year... Not on an ongoing basis, but I was curious as well, so a quick mailbox search for 2015:

Re: Broadband Router Comparisons

2015-12-26 Thread Mikael Abrahamsson
On Sat, 26 Dec 2015, Mike wrote: As a service provider with largely residential/small business customers, I certainly have some thoughts on broadband routers. Sorry if this is overly long. Firstly, they are all junk. Yes, that's correct. We get what we pay for. If the ISP buys the CPE,

Re: Broadband Router Comparisons

2015-12-26 Thread Mike
On 12/23/2015 06:49 PM, Lorell Hathcock wrote: All: Not all consumer grade customer premises equipment is created equally. But end customers sure think it is. I have retirement aged customers buying the crappiest routers and then blaming my cable network for all their connection woes. The