Back

IP Network

IP Transit – Blocked Prefixes / Blackhole routing

Simon Woodhead

Simon Woodhead

18th July 2012

Blocked Prefixes

Customers using Simwood Transit * (Full or Partial) or directly connected to the Simwood network (e.g. co-located, virtualised or using Carrier Ethernet for Internet access) are today offered an improved level of protection far beyond that offered by most ISPs.

Historically our connectivity was relatively open unless customers asked for specific stateless filtering and the only destination addresses we blocked was a small list of ‘bogons’ – addresses which don’t exist. Effective this week we have increased the level of filtering offered as standard and the following routes will now be un-reachable for the protections of customers:

  • Full Bogons. This is approximately 5,400 prefixes which are either reserved for internal use or otherwise not in use. No legitimate traffic should come to or from these addresses but mal-intended traffic frequently uses them.
  • SANS ISC Block List. Upto 20 top attacking prefixes over the last 3 days as published by the Internet Storm Center.
  • Spamhaus don’t route or peer list (DROP). Approximately 400 address ranges hijacked and under the control of netblock thieves or criminal spammers.
  • – Spamhaus extended DROP list (EDROP). An extension to the above which includes sub-allocated netblocks.
  • OpenBL.org a large list of confirmed individual IP addresses engaged in brute force attacks on SSH, FTP, POP(3 and S) and IMAP services.

Please see the links above for background to these data sets and to understand why you do not wish to send traffic to them. The blocking of these prefixes should have no negative impact whatsoever on any customer as they either do not exist or are exclusively ‘bad’.

We have far more addresses we could filter such as those trapped by our own Honeypot and Darknets but we feel this would be offering a level of protection which has potential to adversely affect some customer traffic. Customers who wish for additional bespoke protection are advised to consider ThreatSTOP.

Prefixes blocked are blocked on every Simwood edge router so an attempt to route to them will generally not get beyond the first local hop. Edge routers running the latest stable firmware will also block traffic appearing to originate from any of these addresses. This has two benefits:

  • – The network is invisible to traffic coming from any of the listed addresses as it will be dropped at the very edge of our network.
  • – You will be unable to send traffic out with any listed addresses spoofed as source. Malware frequently uses non-routable or spoofed addresses to make calls home or otherwise attack target systems. Such traffic will now not leave the network where the source matches an address in the above, lessening your contribution to cybercrime if you have infected user equipment.

Other edge equipment is scheduled for upgrade such that this feature will be available network-wide soon.

Blackhole routing

We have put in place the ability to block a customer prefix not only network wide but also upstream at our transit providers. This means if a specific address of yours is being attacked and possibly overwhelming your firewall or saturating your connection to us, we can block traffic to that IP address alone. Whilst this is not ideal in that it achieves a denial of service, it is often a first step in combating an attack as at least it restores services to the rest of your equipment.

This can be put in place by contacting us or for customers using BGP by announcing the target prefix with community 42353:2666. BGP customers will require their session modifying for this feature to be available and should contact us.

Customers using TiNet IP Transit are offered a similar facility and should contact us to enable it.

 

* This does not apply to our TiNet IP Transit as with that customers are connected transparently through Simwood to TiNet.

Related posts