Is it time to abandon bogon prefix filters?
Andree Toonk
andree+nanog at toonk.nl
Thu Aug 14 17:04:01 UTC 2008
Hi Randy,
.-- My secret spy satellite informs me that at Thu, 07 Aug 2008, Randy Bush wrote:
> serious curiosity:
>
> what is the proportion of bad stuff coming from unallocated space vs
> allocated space? real measurements, please. and are there longitudinal
> data on this?
>
> are the uw folk, gatech, vern, ... measuring?
I did some measurements in The Netherlands (SURFnet) using netflow around 1,5
years ago. During this project around 86 million 'Bogon flows' were analyzed. This was not
more then 0.1% (probably even lower) of all flows during that 1 week period.
The majority of these flows were actually from/to RFC1918 address space.
One of the things (amongst others) we looked at was SMTP traffic from / to
bogons, to verify the theory that spammers announce a bogon prefix to sent spam. From the 86
million bogon flows analyzed, 12 SMTP flows were found, very minimal.
Other things we looked at, were type of traffic (applications) & protocols and
the sources of those flows.
We saw some strange (interesting) things, but that was really just a few flows
in many many many milions of flows.
Anyways, if you're interested the research report can be found here:
http://www.toonk.nl/bogon-traffic-analysis.pdf
There's also a presentation http://www.toonk.nl/presentations.php
Cheers,
Andree
--
Andree Toonk
http://www.toonk.ca/blog/
More information about the NANOG
mailing list