sysadmin/NetworkDesignAdventures written at 23:02:08; Add Comment
Adventures in network design, illustrated by our new backbone connection
Our current connection to the campus backbone is a 100 megabit connection. While we have a (somewhat) new gigabit backbone connection, we are not using it yet because we need to revise our network architecture.
One of the issues with our current network setup is that it was designed before firewalls were common. As a result, our current backbone connection connects directly to one of our /24 subnets, where (of course) a number of our servers live. This forces us to use a bridging firewall instead of a routing one, because we want those servers to be behind the firewall.
If you can, you really want to use a routing firewall:
Given this, what you generally want is that your touchdown subnet (the subnet that your external connection sits on) to have only your external connection and your routing firewall. In theory we could achieve this even with our current connection, but for two issues: first, a /24 is a pretty large chunk of network space to use up for just two things, and second, a number of our servers on that subnet have by now very well known IP addresses and would be hard to move.
Our new gigabit connection uses a very small touchdown network for just this sort of network setup. However, this means that to use it we pretty much need to build a new firewall setup and shuffle how our internal routing is done, and we haven't yet had time to do either.
(We are fortunate that no one is really chomping at the bit to have gigabit connectivity to elsewhere on campus.)
spam/SpamSummary-2007-08-11 written at 00:21:33; Add Comment
Weekly spam summary on August 11th, 2007
This week, we:
Connection volume is down from last week. This week the volume peak was clearly on Monday instead of Wednesday:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52 47178 2453K terra.es 184.108.40.206/24 30310 1374K bellsouth.net 220.127.116.11/24 24588 1475K centrum.cz 18.104.22.168/23 18445 896K cox.net 22.214.171.124/24 8250 429K rapidsite.net 126.96.36.199 8181 393K 188.8.131.52 5832 280K 184.108.40.206 4611 235K 220.127.116.11/24 4545 218K adelphia.net 18.104.22.168 4109 192K
Overall volume is up slightly from last week. The number of individual IPs that are making the top ten remains low; I suspect that this is going to be the pattern, since I doubt the advance fee fraud spammers exploiting all of the various ISPs doing too-open webmail are going to stop trying to email us any time soon.
Connection time rejection stats:
135251 total 63818 bad or no reverse DNS 61561 dynamic IP 7550 class bl-cbl 478 class bl-pbl 314 class bl-dsbl 218 class bl-sbl 189 premia networks 184 qsnews.net 133 class bl-sdul 58 acceleratebiz.com 26 class bl-njabl
Here 'premia networks' is 22.214.171.124/24 and 126.96.36.199/24, yet another place that lights up our spamtraps in a particularly telling, broad distributed, and aggressive manner. Perhaps there is an innocent explanation, but in the mean time we aren't going to be talking to them.
The highest source of SBL rejections this week is the same as last week: SBL57113 aka 'speed tech inc', with 117 rejections. Following it is SBL48694 with 23 rejections, also returning from last week, and SBL57435 aka 'fisksox.com et al' with 10 rejections.
Sixteen of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 188.8.131.52 with a jaw dropping 6,877 rejections, followed by 184.108.40.206 (1,882 rejections) and 220.127.116.11 (1,230 rejections); everyone else has less then 500.
Fifteen of the top 30 are currently in the CBL, eight are currently
(Locally, 22 were rejected for bad or missing reverse DNS, 4 for being dynamic addresses, two for being people we don't want to talk to, one for being in the DSBL, and one for being in the CBL.)
This week, Hotmail had:
And the final numbers:
The leading source of bad
Bad bounces were sent to 680 different bad usernames this week, with
the most popular one being a many-way tie at two attempts each between
the bad usernames oretachi-rowringzoku, oldeng, mytool, masaru-12-25,
an ex-user, ky99, hustler-hildreth, dfgdgdgiyrww, bekind, Ned, and
Dankertybpd. That pretty much gives the flavour of the bad usernames
this week right there, with a few like
* * *
Atom feeds are available; see the bottom of most pages.