do bogon filters still help?
Edward Lewis
Ed.Lewis at neustar.biz
Wed Jan 11 18:16:43 UTC 2006
No data, but I thought I should add...RFC 3330 "Special-Use IPv4
Addresses" lists the "obvious stuff." I just went through an
exercise in de-bogonizing and needed that reference.
[http://www.ietf.org/rfc/rfc3330.txt]
Be careful though. It lists 24.0.0.0/8 as "special," explaining that
this went to cable operators (and eventually administered via ARIN).
So don't just use the Summary Table in section 3 blindly.
At 13:03 -0500 1/11/06, Steven M. Bellovin wrote:
>Every time IANA allocates new prefixes, we're treated to complaints about
>sites that are not reachable because they're in the new space and some
>places haven't updated their bogon filters. My question is this: have we
>reached a point where the bogon filters are causing more pain than they're
>worth?
>
>The Team Cymru web page (http://www.cymru.com/Bogons/index.html) gives
>some justification, but I think the question should be revisited. First,
>as the page (and the associated presentation) note, most of the
>benefit comes from filtering obvious stuff -- 0/8, 127/8, and
>"class" D and E source addresses. Second, the study is about 5
>years old, maybe more; attack patterns have changed since then.
>Third, considerably more address space has been allocated; this
>means that the percentage of address space that can be considered bogus is
>significantly smaller. Possibly, there are more sites doing edge
>filtering, but I'd hate to count on that.
>
>So -- I'd like people to re-examine the question. Does anyone have more
>recent data on the frequency of bogons as a percentage of attack
>packets? What would that number look like if you filtered just the
>obvious -- the ranges given above, plus the RFC 1918 prefixes? Are
>your defenses against non-spoofed attacks really helped by the extra
>filtering?
>
> --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Inactionable unintelligence is bliss.
More information about the NANOG
mailing list