Is it time to abandon bogon prefix filters?
Rob Thomas
robt at cymru.com
Thu Aug 7 23:13:12 UTC 2008
Hey, Randy.
> this is an extremely far cry from 60%. what am i not understanding?
There are a few factors at work here.
One, the 60% figure was from 2001-03-16. There were more bogons then,
and our sundry measures saw a lot more malevolence from bogon space.
A popular belief in the underground in 2001 was that spoofing in
general, and the use of bogon space specifically, added a layer of
protection for their collections of compromised hosts. In the age of
masses of compromised routers, servers, and workstations, that's no
longer a necessary defensive measure. At circa US $.04 each, bots are
easily replaced. Compromised routers don't cost much more than that.
Two, we really can't compare the two (time issues aside). The 60%
figure came from a study of a frequently (as in daily) attacked web
site. The figures I shared today came from our Darknets, which are more
global and not limited to a certain type of service or site owner.
Third, that site has been split into multiple sites (after about 2005)
so unfortunately I can't easily reproduce the study from 2001. That is
a real bummer.
So I'm not comparing apples and apples.
We also track DDoS attacks, malware propagation, and other Internet
malevolence. As a shot from the hip, I'll say we see very little abuse
from bogon IP space. I won't say we see no abuse from bogon space,
however, so we keep bogons automatically filtered on our border. I like
to keep the online criminal toolkit as sparse as I can. :)
> and can you separate reserved (127, ...) and unallocated?
I can indeed, though it'll take me a bit to do so. Again, stay tuned.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the NANOG
mailing list