Checking bogon status of new address space

Sat May 9 14:10:49 UTC 2009

> 29/256 = 11% of the available address space.  My argument is, if
> someone is scanning you from random source addresses blocking 10%
> of the scan traffic is reaching a point of very little return for
> the effort of updating the address lists, and as we all know it is
> getting smaller and smaller.

Granted, if the filters aren't updated very frequently, they're pretty bad.

But.. I would suggest, basically, filtering bogons is still great and
pretty important, it serves as an ongoing deterrant against random
unruly networks trying to pick up the unassigned  addresses, or
treating the space as  "Up for grabs" just because some space  happens
to be unannounced (and unassigned).

This is a behavioral effect: possibly fewer scans are attempted from
those networks than would be attempted if nobody filtered bogons.

As a result, the assumption of randomness may not be warranted; if
bogons weren't filtered, there would be reasons hijackers would target
them (not having a "legitimate assignee" to contend with);   10% of
the space doesn't mean 10% of the scans;  it could mean 40% of the
scans,  if  enough scanners had a policy of preferring to scan from
unassigned space.

With looming IP exhaustion it's  possibly even more important...  I'd
be worried about this scenario:  APNIC denied your /12 request?   No
problem... pick a random bogon from the last 30 unassigned /8s and
somehow sneak a line into your Tier1 provider contracts requiring they
propagate only your announcements to the /12....

The space might otherwise be very enticing for evil scanners to use,
because it's  "easy pickings" no legitimate  assignee of the address
space to  hunt them down and send armies of lawyers on a raid...

--
-J