NonAgg Bogons Sufficient



  • For those that feel the nonagg bogons list is still sufficient.  Here is a bogon attempt at SSH port that would not have been blocked by the nonagg list.

    
    Jan 11 05:59:37	WAN	    64.185.229.240:64439	    d.d.d.d:22	TCP:S
    
    

    Would rarely if ever get any blocked bogons with the nonagg list.  But now with the full list it actually blocks something every once in a while.



  • Well thats the problem, Not every IP will get blocklisted.

    1. 70% of people have DHCP
    2. 30% of people have Static


  • @francisuk22:

    Well thats the problem, Not every IP will get blocklisted.

    1. 70% of people have DHCP
    2. 30% of people have Static

    Forgive me.  But huh?



  • What im trying to say is…

    30% of people have Static IPs and then 70% of people have Dynamic IP



  • @NOYB:

    For those that feel the nonagg bogons list is still sufficient.  Here is a bogon attempt at SSH port that would not have been blocked by the nonagg list.

    
    Jan 11 05:59:37	WAN	    64.185.229.240:64439	    d.d.d.d:22	TCP:S
    
    

    Would rarely if ever get any blocked bogons with the nonagg list.  But now with the full list it actually blocks something every once in a while.

    And what is your point? IMHO the benefits of blocking a couple more ssh login attempts per day (btw in my case 90% of all ssh login attempts seem to come from compromised systems in data centers in US and EU) doesn't seem to out-weigh the risk of blocking legitimate connections if you fail to update the full bogon-list…

    On the other hand, if you had a popular system that was targeted with DoS attacks from bogon IPs, then it'd certainly be a good idea to use the full bogon list.

    Just my 2 cents ...



  • Sure enough, ARIN shows non-allocated, but it's in the Internet routing table. In my BGP:

    flags destination          gateway          lpref  med aspath origin
          64.185.229.0/24      x.x.x.x    100    0 27325 7459 3356 27431 i

    It's AS 27431.
    JTL Networks Inc.
    240 N Fifth Street
    Suite 210
    Columbus OH

    Looks like a legit company, my guess is one of their customers is being bad and they're announcing that space without realizing it.

    I emailed their abuse with info.



  • Apparently their abuse department doesn't care.

    
    Feb 2 22:39:07	WAN	    64.185.229.239:50267	    d.d.d.d:22	TCP:S
    
    

Log in to reply