Is it time to abandon bogon prefix filters?
Tomas L. Byrnes
tomb at byrneit.net
Mon Aug 25 06:21:23 UTC 2008
You're missing one of the basic issues with bogon sources: they are
often advertised bogons, IE the bad guy DOES care about getting the
packets back, and has, in fact, created a way to do so.
This is usually VERY BAD traffic, and EVEN WORSE if a user goes TO a
site hosted in such IP space.
So, Bogon filtering has value beyond mere spoofed source rejection.
> -----Original Message-----
> From: Sean Donelan [mailto:sean at donelan.com]
> Sent: Thursday, August 21, 2008 5:19 PM
> To: NANOG list
> Subject: Re: Is it time to abandon bogon prefix filters?
>
> On Mon, 18 Aug 2008, Danny McPherson wrote:
> > All the interesting attacks today that employ spoofing (and the
> > majority of the less-interesting ones that employ spoofing) are
> > usually relying on existence of the source as part of the attack
> > vector (e.g., DNS cache poisoning, BGP TCP RST attacks, DNS
> reflective
> > amplification attacks, etc..), and as a result, loose mode
> gives folks
> > a false sense of protection/action.
>
> Yep. Same thing with bogon filters. Any attacker which can
> source packets with bogon addresses, can by definition,
> source packets with any "valid" IP address too. Great as an
> academic exercise, but the bad guys are going to send evil
> packets without the evil bit nor using bogon addresses. If
> the bad guys are using spoofed addresses, they don't care
> about the reply packets to either valid or unallocated addresses.
>
> However, seeing packets with unallocated IP addresses on the
> Internet is evidence of a broken network. Just like when a
> network trips "max prefix" on a BGP session, shouldn't a
> broken network be shutdown until the problem is fixed. If
> you don't want to risk your network peers turning off the
> connections, make sure your network doesn't source spoofed packets.
>
>
>
More information about the NANOG
mailing list