Is it time to abandon bogon prefix filters?

Sean Donelan sean at donelan.com
Fri Aug 22 00:18:37 UTC 2008


On Mon, 18 Aug 2008, Danny McPherson wrote:
> All the interesting attacks today that employ spoofing (and the
> majority of the less-interesting ones that employ spoofing) are
> usually relying on existence of the source as part of the attack
> vector (e.g., DNS cache poisoning, BGP TCP RST attacks,
> DNS reflective amplification attacks, etc..), and as a result, loose
> mode gives folks a false sense of protection/action.

Yep.  Same thing with bogon filters.  Any attacker which can source
packets with bogon addresses, can by definition, source packets with
any "valid" IP address too.  Great as an academic exercise, but the bad 
guys are going to send evil packets without the evil bit nor using bogon 
addresses.  If the bad guys are using spoofed addresses, they don't care 
about the reply packets to either valid or unallocated addresses.

However, seeing packets with unallocated IP addresses on the Internet
is evidence of a broken network.  Just like when a network trips
"max prefix" on a BGP session, shouldn't a broken network be shutdown
until the problem is fixed.  If you don't want to risk your network
peers turning off the connections, make sure your network doesn't source 
spoofed packets.





More information about the NANOG mailing list