Is it time to abandon bogon prefix filters?

Rob Thomas robt at cymru.com
Thu Aug 7 18:13:12 CDT 2008


Hey, Randy.

> this is an extremely far cry from 60%.  what am i not understanding?

There are a few factors at work here.

One, the 60% figure was from 2001-03-16.  There were more bogons then, 
and our sundry measures saw a lot more malevolence from bogon space.

A popular belief in the underground in 2001 was that spoofing in 
general, and the use of bogon space specifically, added a layer of 
protection for their collections of compromised hosts.  In the age of 
masses of compromised routers, servers, and workstations, that's no 
longer a necessary defensive measure.  At circa US $.04 each, bots are 
easily replaced.  Compromised routers don't cost much more than that.

Two, we really can't compare the two (time issues aside).  The 60% 
figure came from a study of a frequently (as in daily) attacked web 
site.  The figures I shared today came from our Darknets, which are more 
global and not limited to a certain type of service or site owner.

Third, that site has been split into multiple sites (after about 2005) 
so unfortunately I can't easily reproduce the study from 2001.  That is 
a real bummer.

So I'm not comparing apples and apples.

We also track DDoS attacks, malware propagation, and other Internet 
malevolence.  As a shot from the hip, I'll say we see very little abuse 
from bogon IP space.  I won't say we see no abuse from bogon space, 
however, so we keep bogons automatically filtered on our border.  I like 
to keep the online criminal toolkit as sparse as I can.  :)

> and can you separate reserved (127, ...) and unallocated?

I can indeed, though it'll take me a bit to do so.  Again, stay tuned.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");





More information about the NANOG mailing list