Bogon filtering (don't ban me)

• Previous message (by thread): Bogon filtering (don't ban me)
• Next message (by thread): Bogon filtering (don't ban me)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 5 Dec 2004, Rob Thomas wrote:
> In a study of one oft' scanned and attacked site, we found that
> 66.85% of the source IPs were bogon (RFC1918, unallocated, etc.).
> You can read about it at the following URL:
>
>    <http://www.cymru.com/Presentations/60days.ppt>

One of the more annoying things has been Team Cymru munged "Unallocated"
and "Martian" addresses together to create "Bogons."  As your 2001
presentation indicates, 53.39% were from Class D and E space, which
means about 13% were from "Unallocated" space.  And of course about
34% from "Allocated" space.

Protocol hygenie is good.  Keeping martians out of the routing table and
dropping packets with never valid source addresses is good.  Unless the
RFCs are changed, those IP addresses are extremely stable.

The unfortunate use of the word "Bogon" has lead some less technical
people to believe everything in the Team Cymru lists are the same.  The
problems with the Team Cymru lists occur because they include unallocated
space in the same list in a recommended static router configuration file.
For most users, router configuration files are very static.  The
configurations are created when they install the router, and rarely
updated.

Car commercials say "Do not attempt.  Professional driver on closed
course."

Unless you are a professional router driver, using Team Cymru's
suggested router configuration will hurt most average users.  Which is
a problem because a lot of the Team Cymru recommendations are good
router hygenie.  But I can't in good faith recommend people use the Team
Cymru, because of those dangerous inclusions.

• Previous message (by thread): Bogon filtering (don't ban me)
• Next message (by thread): Bogon filtering (don't ban me)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]