Adventures in network design, illustrated by our new backbone connection
Our current connection to the campus backbone is a 100 megabit connection. While we have a (somewhat) new gigabit backbone connection, we are not using it yet because we need to revise our network architecture.
One of the issues with our current network setup is that it was designed before firewalls were common. As a result, our current backbone connection connects directly to one of our /24 subnets, where (of course) a number of our servers live. This forces us to use a bridging firewall instead of a routing one, because we want those servers to be behind the firewall.
If you can, you really want to use a routing firewall:
- OpenBSD's pfsync and CARP support only works (well) with routing firewalls, which means that our current firewall doesn't have an automatic hot backup; if it fails, the recovery procedure requires someone to go to the machine room.
- bridging firewalls can't do some things.
Given this, what you generally want is that your touchdown subnet (the subnet that your external connection sits on) to have only your external connection and your routing firewall. In theory we could achieve this even with our current connection, but for two issues: first, a /24 is a pretty large chunk of network space to use up for just two things, and second, a number of our servers on that subnet have by now very well known IP addresses and would be hard to move.
Our new gigabit connection uses a very small touchdown network for just this sort of network setup. However, this means that to use it we pretty much need to build a new firewall setup and shuffle how our internal routing is done, and we haven't yet had time to do either.
(We are fortunate that no one is really chomping at the bit to have gigabit connectivity to elsewhere on campus.)
Weekly spam summary on August 11th, 2007
This week, we:
- got 11,040 messages from 245 different IP addresses.
- handled 20,069 sessions from 1,915 different IP addresses.
- received 344,743 connections from at least 97,338 different IP addresses.
- hit a highwater of 42 connections being checked at once.
Connection volume is down from last week. This week the volume peak was clearly on Monday instead of Wednesday:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52 47178 2453K terra.es 184.108.40.206/24 30310 1374K bellsouth.net 220.127.116.11/24 24588 1475K centrum.cz 18.104.22.168/23 18445 896K cox.net 22.214.171.124/24 8250 429K rapidsite.net 126.96.36.199 8181 393K 188.8.131.52 5832 280K 184.108.40.206 4611 235K 220.127.116.11/24 4545 218K adelphia.net 18.104.22.168 4109 192K
Overall volume is up slightly from last week. The number of individual IPs that are making the top ten remains low; I suspect that this is going to be the pattern, since I doubt the advance fee fraud spammers exploiting all of the various ISPs doing too-open webmail are going to stop trying to email us any time soon.
- 22.214.171.124 kept trying with an origin address that tripped our spamtraps the last time they tried.
- 126.96.36.199 is on the DSBL; last week it just made the top connection time stats, but it's moved up this week.
- 188.8.131.52 also returns from last week, still in SBL57028.
- 184.108.40.206 returns from late July and is still something we consider a dynamic IP.
Connection time rejection stats:
135251 total 63818 bad or no reverse DNS 61561 dynamic IP 7550 class bl-cbl 478 class bl-pbl 314 class bl-dsbl 218 class bl-sbl 189 premia networks 184 qsnews.net 133 class bl-sdul 58 acceleratebiz.com 26 class bl-njabl
Here 'premia networks' is 220.127.116.11/24 and 18.104.22.168/24, yet another place that lights up our spamtraps in a particularly telling, broad distributed, and aggressive manner. Perhaps there is an innocent explanation, but in the mean time we aren't going to be talking to them.
The highest source of SBL rejections this week is the same as last week: SBL57113 aka 'speed tech inc', with 117 rejections. Following it is SBL48694 with 23 rejections, also returning from last week, and SBL57435 aka 'fisksox.com et al' with 10 rejections.
Sixteen of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 22.214.171.124 with a jaw dropping 6,877 rejections, followed by 126.96.36.199 (1,882 rejections) and 188.8.131.52 (1,230 rejections); everyone else has less then 500.
Fifteen of the top 30 are currently in the CBL, eight are currently
bl.spamcop.net, fourteen are in the PBL, and a grand total of
nineteen are currently in zen.spamhaus.org.
(Locally, 22 were rejected for bad or missing reverse DNS, 4 for being dynamic addresses, two for being people we don't want to talk to, one for being in the DSBL, and one for being in the CBL.)
This week, Hotmail had:
- 3 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 46 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 4 messages refused due to their origin IP address (two in the CBL, one in SBL44539, and one from the Cote d'Ivoire).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leading source of bad
HELO attempts this week is 184.108.40.206
(92 attempts with a
.local name), followed by 220.127.116.11 (81
attempts) and 18.104.22.168 (58 attempts). I continue to grind my
teeth at the popularity of throwing
.local around on the general
Bad bounces were sent to 680 different bad usernames this week, with
the most popular one being a many-way tie at two attempts each between
the bad usernames oretachi-rowringzoku, oldeng, mytool, masaru-12-25,
an ex-user, ky99, hustler-hildreth, dfgdgdgiyrww, bekind, Ned, and
Dankertybpd. That pretty much gives the flavour of the bad usernames
this week right there, with a few like
GordyBaze thrown in for good