nanog mailing list archives

RE: Team Cymru / Spamhaus

From: SysIT <IT () SysAccess net>
Date: Fri, 27 Jun 2014 19:55:37 +0000

Appreciate the Clarification Darden, I wasn't aware Spamhaus had this other division / service, time for some reading.

-----Original Message-----
From: Darden, Patrick [mailto:Patrick.Darden () p66 com] 
Sent: Friday, June 27, 2014 11:50 AM
To: SysIT; Adam Greene; 'NANOG list'
Subject: RE: Team Cymru / Spamhaus

I feel like you are conflating DOS and DDOS.  DOS attacks can be bandwidth related, but they can also be malformed 
packets, injections, etc. ad nauseum.  DDOS are almost always, as you say, bandwidth wars.

The Spamhaus BGPF project has nothing to do with Spam--it is an attempt to provide filters for botnets and other 
malware hosts/nets, including DDOS and some DOS attacks.  However, it will only work if you use it--with the chance for 
false positives implicitly there.

The CYMRU FULLBOGON list won't help with DOS or DDOS--it is simply a list of martians, netbloks, and allocated but 
unassigned IP space.  Well worth using, and a fabulous resource.

--patrick darden

-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of SysIT
Sent: Friday, June 27, 2014 10:23 AM
To: Adam Greene; 'NANOG list'
Subject: [EXTERNAL]RE: Team Cymru / Spamhaus

That wont stop a DoS.

A DoS or DDoS is pure bandwidth wars for the most part, if someone is to DoS you, they already have your IP's and urls 
they need to attack you, thus a spam list won't stop an attack.

If you want to minimize actual spam, sure.

-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Adam Greene
Sent: Friday, June 27, 2014 9:18 AM
To: 'NANOG list'
Subject: Team Cymru / Spamhaus

Hi all,

We're evaluating whether to add BGP feeds from these two sources in attempt to minimize exposure to DoS.

The Team Cymru BOGON list (

http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt or

http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt

)

looks promising and common-sense. 

We already filter RFC1918 inbound at our edge, and are interested to see if adding the rest of the blocks will have a 
significant positive effect.

If it does, we're planning to try the IPv4 FULLBOGON list:

http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt

We're a little more leery about trying Spamhaus's BGPf service (DROP, EDROP and BCL, 

http://www.spamhaus.org/bgpf/

)

because we really want to avoid false positives. 

Just wondering if anyone has any words of caution ("False positives! Avoid FULLBOGONS and Spamhaus!"), or words of 
praise ("Do it all! These services are wonderful!") before we take the plunge.

Thanks,

Adam

Current thread:

Team Cymru / Spamhaus Adam Greene (Jun 27)
- Re: Team Cymru / Spamhaus Paul Ferguson (Jun 27)
- RE: Team Cymru / Spamhaus SysIT (Jun 27)
  - Message not available
    - RE: Team Cymru / Spamhaus SysIT (Jun 27)
- Re: Team Cymru / Spamhaus Jon Lewis (Jun 27)
  - Re: Team Cymru / Spamhaus Matthias Leisi (Jun 27)
  - Re: Team Cymru / Spamhaus Paul S. (Jun 27)