Wandering Thoughts archives

2007-08-12

Adventures in network design, illustrated by our new backbone connection

Our current connection to the campus backbone is a 100 megabit connection. While we have a (somewhat) new gigabit backbone connection, we are not using it yet because we need to revise our network architecture.

One of the issues with our current network setup is that it was designed before firewalls were common. As a result, our current backbone connection connects directly to one of our /24 subnets, where (of course) a number of our servers live. This forces us to use a bridging firewall instead of a routing one, because we want those servers to be behind the firewall.

If you can, you really want to use a routing firewall:

  • OpenBSD's pfsync and CARP support only works (well) with routing firewalls, which means that our current firewall doesn't have an automatic hot backup; if it fails, the recovery procedure requires someone to go to the machine room.
  • bridging firewalls can't do some things.

Given this, what you generally want is that your touchdown subnet (the subnet that your external connection sits on) to have only your external connection and your routing firewall. In theory we could achieve this even with our current connection, but for two issues: first, a /24 is a pretty large chunk of network space to use up for just two things, and second, a number of our servers on that subnet have by now very well known IP addresses and would be hard to move.

Our new gigabit connection uses a very small touchdown network for just this sort of network setup. However, this means that to use it we pretty much need to build a new firewall setup and shuffle how our internal routing is done, and we haven't yet had time to do either.

(We are fortunate that no one is really chomping at the bit to have gigabit connectivity to elsewhere on campus.)

sysadmin/NetworkDesignAdventures written at 23:02:08; Add Comment

Weekly spam summary on August 11th, 2007

This week, we:

  • got 11,040 messages from 245 different IP addresses.
  • handled 20,069 sessions from 1,915 different IP addresses.
  • received 344,743 connections from at least 97,338 different IP addresses.
  • hit a highwater of 42 connections being checked at once.

Connection volume is down from last week. This week the volume peak was clearly on Monday instead of Wednesday:

Day Connections different IPs
Sunday 47,387 +14,319
Monday 62,687 +17,866
Tuesday 43,800 +12,720
Wednesday 40,725 +11,191
Thursday 56,906 +16,513
Friday 53,297 +14,396
Saturday 39,941 +10,333

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          47178   2453K terra.es
205.152.59.0/24       30310   1374K bellsouth.net
213.29.7.0/24         24588   1475K centrum.cz
68.230.240.0/23       18445    896K cox.net
204.202.242.0/24       8250    429K rapidsite.net
70.54.178.101          8181    393K
208.11.149.93          5832    280K
66.106.101.58          4611    235K
68.168.78.0/24         4545    218K adelphia.net
68.167.174.247         4109    192K

Overall volume is up slightly from last week. The number of individual IPs that are making the top ten remains low; I suspect that this is going to be the pattern, since I doubt the advance fee fraud spammers exploiting all of the various ISPs doing too-open webmail are going to stop trying to email us any time soon.

  • 70.54.178.101 kept trying with an origin address that tripped our spamtraps the last time they tried.
  • 208.11.149.93 is on the DSBL; last week it just made the top connection time stats, but it's moved up this week.
  • 66.106.101.58 also returns from last week, still in SBL57028.
  • 68.167.174.247 returns from late July and is still something we consider a dynamic IP.

Connection time rejection stats:

 135251 total
  63818 bad or no reverse DNS
  61561 dynamic IP
   7550 class bl-cbl
    478 class bl-pbl
    314 class bl-dsbl
    218 class bl-sbl
    189 premia networks
    184 qsnews.net
    133 class bl-sdul
     58 acceleratebiz.com
     26 class bl-njabl

Here 'premia networks' is 64.235.54.0/24 and 64.235.57.0/24, yet another place that lights up our spamtraps in a particularly telling, broad distributed, and aggressive manner. Perhaps there is an innocent explanation, but in the mean time we aren't going to be talking to them.

The highest source of SBL rejections this week is the same as last week: SBL57113 aka 'speed tech inc', with 117 rejections. Following it is SBL48694 with 23 rejections, also returning from last week, and SBL57435 aka 'fisksox.com et al' with 10 rejections.

Sixteen of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 210.56.96.91 with a jaw dropping 6,877 rejections, followed by 61.17.143.183 (1,882 rejections) and 201.230.180.203 (1,230 rejections); everyone else has less then 500.

Fifteen of the top 30 are currently in the CBL, eight are currently in bl.spamcop.net, fourteen are in the PBL, and a grand total of nineteen are currently in zen.spamhaus.org.

(Locally, 22 were rejected for bad or missing reverse DNS, 4 for being dynamic addresses, two for being people we don't want to talk to, one for being in the DSBL, and one for being in the CBL.)

This week, Hotmail had:

  • 3 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 46 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 4 messages refused due to their origin IP address (two in the CBL, one in SBL44539, and one from the Cote d'Ivoire).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1874 176 625 126
Bad bounces 692 487 82 51

The leading source of bad HELO attempts this week is 67.50.159.134 (92 attempts with a .local name), followed by 67.79.168.3 (81 attempts) and 62.225.190.98 (58 attempts). I continue to grind my teeth at the popularity of throwing .local around on the general Internet.

Bad bounces were sent to 680 different bad usernames this week, with the most popular one being a many-way tie at two attempts each between the bad usernames oretachi-rowringzoku, oldeng, mytool, masaru-12-25, an ex-user, ky99, hustler-hildreth, dfgdgdgiyrww, bekind, Ned, and Dankertybpd. That pretty much gives the flavour of the bad usernames this week right there, with a few like GordyBaze thrown in for good measure.

spam/SpamSummary-2007-08-11 written at 00:21:33; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.