I did a test on my personal server of filtering every IP network assigned to China for a few months and over 90% of SSH attempts and other noise just went away. It was pretty remarkable.
Working for a public university I can't block China outright, but there are times it has been tempting. :-) The majority of DDOS attacks I see are sourced from addresses in the US, though (likely spoofed). Just saw a pretty large one last week which was SSDP 1900 to UDP port 80, 50K+ unique host addresses involved. On Wed, Mar 18, 2015 at 8:32 AM, Eric Rogers <ecrog...@precisionds.com> wrote: > We are using Mikrotik for a BGP blackhole server that collects BOGONs > from CYMRU and we also have our servers (web, email, etc.) use fail2ban > to add a bad IP to the Mikrotik. We then use BGP on all our core > routers to null route those IPs. > > The ban-time is for a few days, and totally dynamic, so it isn't a > permanent ban. Seems to have cut down on the attempts considerably. > > Eric Rogers > PDSConnect > www.pdsconnect.me > (317) 831-3000 x200 > > > -----Original Message----- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Roland Dobbins > Sent: Wednesday, March 18, 2015 6:04 AM > To: nanog@nanog.org > Subject: Re: Getting hit hard by CHINANET > > > On 18 Mar 2015, at 17:00, Roland Dobbins wrote: > > > This is not an optimal approach, and most providers are unlikely to > > engage in such behavior due to its potential negative impact (I'm > > assuming you mean via S/RTBH and/or flowspec). > > Here's one counterexample: > > <https://ripe68.ripe.net/presentations/176-RIPE68_JSnijders_DDoS_Damage_ > Control.pdf> > > ----------------------------------- > Roland Dobbins <rdobb...@arbor.net> > -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net