Is it time to abandon bogon prefix filters?
Justin Shore
justin at justinshore.com
Wed Aug 6 16:02:27 UTC 2008
Leo Bicknell wrote:
> Have bogon filters outlived their use? Is it time to recommend people
> go to a simpler bogon filter (e.g. no 1918, Class D, Class E) that
> doesn't need to be updated as frequently?
In my opinion no; BOGON filters are still very useful. Back when only
5% of the IP space was allocated we didn't have the same kinds of
serious threats to our networks and our users that we have today. We
didn't have spammers hijacking unallocated space (can if be considered
hijacking when the block hasn't been allocated yet?) to mass mail our
users, host phishing servers, run C&C servers for botnets, etc. Today
we do and the use of what few networks are still unallocated for bad
purposes are prevalent.
For my users I only recommend that they use dynamic methods of keeping
up to date with changes in the BOGON list. While I still do much of my
BOGON work manually, as I'm sure many of us do, I have my local BOGON
lists updated within a few hours of learning of a new allocation
(sometimes even before the bogon-announce email arrives). For those
that aren't uber network geeks I recommend using something automated.
Look at it this way: you have what's essentially a mostly static list
of netblocks from which all traffic is unquestionably malicious.
Wouldn't you block it if you could for the sake of your network security
and that of your users?
Justin
More information about the NANOG
mailing list