[c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link]

Michael.Dillon at btradianz.com Michael.Dillon at btradianz.com
Fri Nov 10 13:24:58 UTC 2006


> > If there were some way to have a feed of real bogons,
> > i.e. address prefixes that are *KNOWN* to be bogus at
> > the point in time they are in the feed, that would be
> > useful for filtering. And it would likely be a best practice
> > to use such a feed.
> >
> > But at the present time, such a feed does not exist.
> 
> http://www.cymru.com/BGP/bogon-rs.html

That is not a feed of routes that are known to be bogus.
That is a feed of routes that use addresses which have 
not been allocated by IANA to an RIR. There are many 
bogus routes that are not included in the Cymru feed.

For instance,
RIR address ranges that have not yet been allocated
ISP address ranges that have not yet been assigned
Assigned address ranges that are not announced by
the assignee. Address ranges from which a high
percentage of the traffic is SPAM, i.e. a network
owned by spammers.

I am arguing that it is better to start with a database
that allows several attributes, both negative and positive,
to be associated with address ranges. Then build a feed
from that, in fact, allow the user to specify which attributes
they want in their feed. One size fits all just doesn't work.

--Michael Dillon





More information about the NANOG mailing list