[AusNOG] New /21 on Bogan / Delinquent Lists

Darren Moss Darren.Moss at em3.com.au
Fri Sep 18 10:36:06 EST 2009


G'Day Shane,

Yes, I know it was a simplistic approach, but we need to start somewhere and I thought the allocation area could be a good place. I was attempting to relate IP allocation and management to driver license allocation and management.

We use the SpamHaus service and a bunch of others, which all work well, however legitimate traffic still gets blocked and we end up whitelisting... Which is a nightmare to manage.

I like the idea of a third party list which is managed by the community here (and abroad) as this could be of assistance - not to mention the great support from the group here to operate / manage / troubleshoot such a list.

Cheers.


Regards, 
 
 
Darren Moss
General Manager, Director
[p] 1300 131 083 [f] 03 9017 2287
[e] Darren.Moss at em3.com.au [w] www.em3.com.au

em3 People and Technology | Managed Technology Experts
postal: PO Box 2333, Moorabbin VIC 3189

New Zealand Airedale Street, Auckland City
postal: PO Box 39573, Howick 2045
[p] 09 92 555 26 [f] 09 887 0273 [m] 021 841 541


-----Original Message-----
From: Shane Short [mailto:shane at short.id.au] 
Sent: 2009-09-18 10:27 am
To: Darren Moss
Cc: Elly Tawhai; Nathan.Brookfield at serversaustralia.com.au; ausnog at ausnog.net
Subject: Re: [AusNOG] New /21 on Bogan / Delinquent Lists

<4AB2BF89.5030103 at apnic.net> <AB8B75B6D8E1A84BBDF6D86C8E5B4C6B58134B at em3-mel-app02.melbourne.em3.com.au>
Message-ID: <133ca355847fdd58d40a01266435d4de at mail.webinabox.net.au>
X-Sender: shane at short.id.au
Received: from mail.goldfields.com.au [116.212.211.94] with HTTP/1.1 (POST);
	Fri, 18 Sep 2009 08:26:47 +0800
User-Agent: RoundCube Webmail/0.1-rc2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit

Hi Darren,

On Fri, 18 Sep 2009 09:29:37 +1000, "Darren Moss" <Darren.Moss at em3.com.au>
wrote:
> Hi Elly,
> 
> This is a real pain for us, and we've tried working with APNIC
previously,
> so I am going to vent.
>
> I think this is more than just allocating and "managing" lists for 
> ranges.
> The real issue (for us anyway) is many of the ranges allocated by 
> APNIC contain obsolete, incorrect or fake contact information for the 
> block owner.
> 
> This leads to us filtering pretty much entire blocks for naughty 
> people
on
> the internet, which I believe leads to the issue occuring right now 
> (yes
I
> know this does not cover spoofing attempts, but it could help).

Perhaps you need to review your filtering policies?
I'm not a huge fan of blocking off an entire allocation because of some 'bad eggs'-- but if you're seeing repeated attacks from multiple places inside the network, then sure.

You could also find the AS that's advertising the prefix and try and bang on their door. If no-one answers, bang on the door of the AS above them.
 
> The amount of attacks on infrastructure was increased significantly, 
> with many localised attacks coming from Asia-Pacific countries, which 
> should
be
> easily blocked either via contact with the provider or by a third 
> party list.

This is hardly an APNIC specific problem-- I've had plenty of grief trying to contact other networks based on their WHOIS details in the past. It's not even really confined to IP Space/AS whois either, how often can you actually depend on the WHOIS data on a GTLD?

> I am surprised that in this day and age we don't have.....
> 
> A) APNIC checking block owner details and suspending where information 
> is not correct (ie: automatic email checking or automatic phone dialer 
> with response keys required)

This may sound rather daft, but if the contact information for the particular IP block is incorrect, how does APNIC get in contact with the person to tell them their details are wrong? What about all the legacy AUNIC blocks that were brought over that aren't associated with an APNIC account?

I'm not even so sure how APNIC would go about 'suspending' the IP address space, especially if they're unable to contact the owner. Maybe they'd publish it in a blacklist of sorts? I wonder how long it'd take someone to realise this and get on the phone to their lawyer, because these 'APNIC'
people have stopped their internets working.

> B) APNIC co-ordinating with other parties (ie: RIPE) for their known 
> bad lists, which the Asia-Pacific communities can utilise for routing, 
> filtering, etc.

My understanding is that the RIPE filtering lists aren't 100% useful because they're not 100% complete, therefor not really that dependable. 
Things like the Spamhaus DROP list
(http://www.spamhaus.org/drop/drop.lasso) seem quite useful though.

> There's not much point allocating blocks if we can't monitor and 
> manage when things go wrong.

Interesting to note there's been a huge discussion about this on nanog, but with s/APNIC/ARIN.
I agree there's a problem, but there's massive devision in the community as to who's responsibility it is to fix up and how.

> We are just letting everyone do anything they want on our networks.
> 
> My 2c worth.
> 
> Regards,
>  
>  
> Darren Moss
> General Manager, Director
> [p] 1300 131 083 [f] 03 9017 2287
> [e] Darren.Moss at em3.com.au [w] www.em3.com.au
> 
> em3 People and Technology | Managed Technology Experts
> postal: PO Box 2333, Moorabbin VIC 3189
> 
> New Zealand Airedale Street, Auckland City
> postal: PO Box 39573, Howick 2045
> [p] 09 92 555 26 [f] 09 887 0273 [m] 021 841 541
> 
> 
> -----Original Message-----
> From: ausnog-bounces at lists.ausnog.net
> [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Elly Tawhai
> Sent: 2009-09-18 9:00 am
> To: Nathan.Brookfield at serversaustralia.com.au
> Cc: ausnog at ausnog.net
> Subject: Re: [AusNOG] New /21 on Bogan / Delinquent Lists
> 
> Dear Nathan,
> 
> While APNIC tries its best to allocate clean blocks, as the free pool 
> of
> IPv4 address space reaches exhaustion it is becoming harder to prevent 
> connectivity problems such as what you're currently experiencing from 
> happening.
> 
> We understand that this is an important issue for the community; and 
> as such, we do take action to minimize any problems that may result.
> 
> We are currently investing extra resources to extend our debogon 
> testing inline with the increase in demand, and in communications and 
> education campaigns to better inform the community of this potential problem.
> 
> I will be in touch to see how I can further assist you.
> 
> Regards,
> Elly
> 
> ----------------------------------------------------------------------
> --
> 
> Elly Tawhai                               email:          elly at apnic.net
> Senior Internet Resource Analyst/         sip:       elly at voip.apnic.net
> Liaison Officer(Pacific), APNIC           phone:         +61 7 3858 3188
> http://www.apnic.net                      fax:           +61 7 3858 3199
> 
> ----------------------------------------------------------------------
> --
> 
> 
> Nathan Brookfield wrote:
>> Hi All,
>> 
>> I know this is a bit of an unusual request, not something I see on
> AUSNOG regularly but we have had the very unfortunate luck of being 
> assigned a /21 from APNIC within the last 2 months which we are now
slowly
> starting to assign to customers.
>> 
>> When the first customer was put onto this subnet they advised that
> traffic from our network to ExeTEL appeared to be null routed into a 
> blackhole so after raising a ticket with ExeTEL I quickly found out 
> that the allocation had been blacklisted some years back for malicious
activity,
> over the last weeks we have been escalating issues to Singtel and a 
> long laundry list of other peers who have the prefix blocked.
>> 
>> Today we are dealing with Telstra who have the prefixed denied on all
> SMTP servers which has been fun but looks like it’s almost at an end. 
>> 
>> Can I please reach out to all Sys Admins on the group to check your
> networks and if you are blocking 180.92.192.0/21 if you could please
allow
> traffic from this subnet back into your networks.
>> 
>> APNIC of course are no help, the fact it appears this subnet is less 
>> than 90% routable does not help as they just won’t re-issue the 
>> allocation plus we are too far past that stage now ☹
>> 
>> Thanks in advance!
>> 
>> Kindest Regards,
>> Nathan Brookfield
>> 
>> IT Operations
>> The One Provider Group Pty Ltd
>> 
>> Direct:		(02) 4307 4206
>> Fax:		      (02) 4307 4201
>> Network Ops:	(02) 9037 4343
>> Web: 		      http://www.serversaustralia.com.au
>> Office Address:	2/2 Teamster Close, Tuggerah NSW 2259
>> Postal Address:	PO Box 3187, Tuggerah NSW 2259
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 



More information about the AusNOG mailing list