Is it time to abandon bogon prefix filters?

Rob Thomas robt at
Thu Aug 7 16:38:47 CDT 2008

Hi, NANOG (he says with a shout)!

> btw, patrick neglected the last sentences of that paragraph, which made
> me wonder what rob would actually say.  luckily, in response to my post,
> rob replied that he/they would try to get some useful measures in the
> near term.  i am patient.

Yep yep, have some results at last.  Sorry, the queries took a bit 
longer than planned.

Note that the study I conducted which populated the "60 Days of Basic 
Naughtiness" presentation is now years old.  Such studies, like me, 
don't necessarily age well.  :)

This is not meant to replace a more comprehensive and clueful study by 
the likes of Vern, Stefan, and the CAIDA crew.  As folks may know we 
have a large Darknet[1] project.  In there we collect the scanning 
activity of malware, backscatter, and the like.  Often we can tie the 
scanning pattern to a family of malware or maltool.

If the source of a scan or probe is a bogon, we tag it that way in our 
data store.  I went back to 2008-01 and found the following percentages 
of bogons in our data:

    2008-01: 0.001095262%
    2008-02: 0.001759343%
    2008-03: 0.001619555%
    2008-04: 0.001433908%
    2008-05: 0.001182351%
    2008-06: 0.130534559%
    2008-07: 0.002327683%
    2008-08: 0.001258054% (thus far)

That's not a lot of bogon activity in the Darknets, though Darknets are 
only one measure of malevolent traffic.  Your mileage may vary, etc.

    [1] <>

Rob Thomas
Team Cymru
cmn_err(CEO_PANIC, "Out of coffee!");

More information about the NANOG mailing list