Is it time to abandon bogon prefix filters?
Rob Thomas
robt at cymru.com
Thu Aug 7 21:38:47 UTC 2008
Hi, NANOG (he says with a shout)!
> btw, patrick neglected the last sentences of that paragraph, which made
> me wonder what rob would actually say. luckily, in response to my post,
> rob replied that he/they would try to get some useful measures in the
> near term. i am patient.
Yep yep, have some results at last. Sorry, the queries took a bit
longer than planned.
Note that the study I conducted which populated the "60 Days of Basic
Naughtiness" presentation is now years old. Such studies, like me,
don't necessarily age well. :)
This is not meant to replace a more comprehensive and clueful study by
the likes of Vern, Stefan, and the CAIDA crew. As folks may know we
have a large Darknet[1] project. In there we collect the scanning
activity of malware, backscatter, and the like. Often we can tie the
scanning pattern to a family of malware or maltool.
If the source of a scan or probe is a bogon, we tag it that way in our
data store. I went back to 2008-01 and found the following percentages
of bogons in our data:
2008-01: 0.001095262%
2008-02: 0.001759343%
2008-03: 0.001619555%
2008-04: 0.001433908%
2008-05: 0.001182351%
2008-06: 0.130534559%
2008-07: 0.002327683%
2008-08: 0.001258054% (thus far)
That's not a lot of bogon activity in the Darknets, though Darknets are
only one measure of malevolent traffic. Your mileage may vary, etc.
[1] <http://www.team-cymru.org/Services/darknets.html>
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the NANOG
mailing list