Bogon filtering (don't ban me)
Rob Thomas
robt at cymru.com
Sun Dec 5 19:03:37 UTC 2004
Hi, NANOGers.
] - That's only some 40% of all address space, so you need to be able to
] deal with the other 60% anyway. Why wouldn't whatever mechanism that
] deals with the 60% be unable to deal with the additional 40%?
In a study of one oft' scanned and attacked site, we found that
66.85% of the source IPs were bogon (RFC1918, unallocated, etc.).
You can read about it at the following URL:
<http://www.cymru.com/Presentations/60days.ppt>
Filtering out bogons removes yet one more potential source of
badness. Does it remove all badness? Of course not. We win
by degrees. Removing any tool from the bad persons' toolkit is
useful.
Those who track backscatter (the detritus of a spoofed source
attack) are still seeing a healthy bit of traffic. While
spoofing is less popular than it once was, it still remains a
viable attack feature. Tools such as bang.c depend entirely on
the ability to spoof. Not all spoofing uses bogon IP space.
That's fine, we can reduce the alternatives bit by bit.
Dealing with the other sources of badness is an exercise for
other ideas. The Darknet Project is one such way to spot that
badness.
<http://www.cymru.com/Darknet/>
How you choose to respond to that badness (report it to the
source, report it to their upstreams, null route them, do
nothing) is of course up to you.
] - (Loose) uRPF will buy you the exact same functionality and more
] without any upkeep.
Even with uRPF one needs to keep the RIB clean. That means the
use of filtering. We and others provide those as well:
<http://www.cymru.com/Documents/secure-bgp-template.html>
<http://www.cymru.com/gillsr/documents/junos-bgp-template.htm>
<ftp://ftp-eng.cisco.com/cons/isp/security/Ingress-Prefix-Filter-Templates/>
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
More information about the NANOG
mailing list