Is it time to abandon bogon prefix filters?

Andree Toonk andree+nanog at toonk.nl
Thu Aug 14 12:04:01 CDT 2008


Hi Randy,

.-- My secret spy satellite informs me that at Thu, 07 Aug 2008, Randy Bush wrote:

> serious curiosity:
> 
> what is the proportion of bad stuff coming from unallocated space vs
> allocated space?  real measurements, please.  and are there longitudinal
> data on this?
> 
> are the uw folk, gatech, vern, ... measuring?

I did some measurements in The Netherlands (SURFnet) using netflow around 1,5
years ago.  During this project around 86 million 'Bogon flows' were analyzed. This was not
more then 0.1% (probably even lower) of all flows during that 1 week period.
The majority of these flows were actually from/to RFC1918 address space.

One of the things (amongst others)  we looked at was SMTP traffic from / to
bogons, to verify the theory that spammers announce a bogon prefix to sent spam. From the 86
million bogon flows analyzed, 12 SMTP flows were found, very minimal.
Other things we looked at, were type of traffic (applications) & protocols  and
the sources of those flows.
We saw some strange (interesting) things, but that was really just a few flows
in many many many milions of flows.

Anyways, if you're interested the research report can be found here:
http://www.toonk.nl/bogon-traffic-analysis.pdf
There's also a presentation http://www.toonk.nl/presentations.php

Cheers,
 Andree

--
 Andree Toonk
 http://www.toonk.ca/blog/




More information about the NANOG mailing list