Is it time to abandon bogon prefix filters?

Niels Bakker niels=nanog at bakker.net
Thu Aug 7 18:03:21 CDT 2008


* randy at psg.com (Randy Bush) [Fri 08 Aug 2008, 00:59 CEST]:
> rob,
>> If the source of a scan or probe is a bogon, we tag it that way in our 
>> data store.  I went back to 2008-01 and found the following percentages 
>> of bogons in our data:
[..]
>>    2008-08: 0.001258054% (thus far)
>
> this is an extremely far cry from 60%.  what am i not understanding?
>
> and can you separate reserved (127, ...) and unallocated?

This is scanning of darknets - usually you're interested in what comes 
back, i.e. can you 0wn it?  so src has to be valid.

(D)DoS of course are much more likely to come closer to the 60% number. 
No need to get the SYN+ACKs or the ICMP echo replies back...


	-- Niels.




More information about the NANOG mailing list