Is it time to abandon bogon prefix filters?
Patrick W. Gilmore
patrick at ianai.net
Thu Aug 7 13:52:43 CDT 2008
On Aug 7, 2008, at 2:04 PM, Pete Templin wrote:
> Patrick W. Gilmore wrote:
>> Filter your bogons. But do it in an automated fashion, from a
>> trusted source.
>> Of course, I recommend Team Cymru, which has a most sterling
>> record. Nearly perfect (other than the fact they still recommend
>> MD5 on BGP sessions :).
> How can you recommend Team Cymru, when their product is not in any
> way a filter? It is merely an automated method of injecting
> aggregate null routes for bogons, but in no way prevents a network
> from accepting aggregate or specific bogon announcements (i.e. it
> does not _filter_).
Team Cymru offers many ways to set up filters, null routes, etc. See <http://www.team-cymru.org/Services/Bogons/
Oh, and to answer Randy's question about how much actually comes from
bogons, on that same page:
How much does it help to filter the bogons? In one study conducted by
Rob Thomas of a frequently attacked site, fully 60% of the naughty
packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.). A
presentation based on that study, entitled "60 Days of Basic
Naughtiness," can be viewed here. Your mileage may vary, and you may
opt to filter more conservatively or more liberally. As always, you
must KNOW YOUR NETWORK to understand the effects of such filtering.
I guess that means filtering bogons is useful.
More information about the NANOG