Is it time to abandon bogon prefix filters?

Patrick W. Gilmore patrick at ianai.net
Thu Aug 7 18:52:43 UTC 2008


On Aug 7, 2008, at 2:04 PM, Pete Templin wrote:
> Patrick W. Gilmore wrote:
>
>> Filter your bogons.  But do it in an automated fashion, from a  
>> trusted source.
>> Of course, I recommend Team Cymru, which has a most sterling  
>> record.  Nearly perfect (other than the fact they still recommend  
>> MD5 on BGP sessions :).
>
> How can you recommend Team Cymru, when their product is not in any  
> way a filter?  It is merely an automated method of injecting  
> aggregate null routes for bogons, but in no way prevents a network  
> from accepting aggregate or specific bogon announcements (i.e. it  
> does not _filter_).

HUH?

Team Cymru offers many ways to set up filters, null routes, etc.  See <http://www.team-cymru.org/Services/Bogons/ 
 >.

Oh, and to answer Randy's question about how much actually comes from  
bogons, on that same page:

<quote>
How much does it help to filter the bogons? In one study conducted by  
Rob Thomas of a frequently attacked site, fully 60% of the naughty  
packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.). A  
presentation based on that study, entitled "60 Days of Basic  
Naughtiness," can be viewed here. Your mileage may vary, and you may  
opt to filter more conservatively or more liberally. As always, you  
must KNOW YOUR NETWORK to understand the effects of such filtering.
</quote>

I guess that means filtering bogons is useful.

-- 
TTFN,
patrick





More information about the NANOG mailing list