Is it time to abandon bogon prefix filters?

Danny McPherson danny at tcb.net
Thu Aug 14 23:09:58 CDT 2008


On Aug 6, 2008, at 9:01 AM, Randy Bush wrote:
>
> serious curiosity:
>
> what is the proportion of bad stuff coming from unallocated space vs
> allocated space?  real measurements, please.  and are there  
> longitudinal
> data on this?
>
> are the uw folk, gatech, vern, ... measuring?

Some data from our anonymous stats program
(currently ~90 ISPs) included below.  In short,
~3% of 727k attacks we've seen over the last
631 days employed bogon source addresses.

(definition of what constitutes "attack" is subjected to
reporting participant operational policy, but these are
primarily rate-based DDoS attacks)

-danny

---
General Statistics

total_days      631
total_attacks   1137265
avg_attacks_day 1802
avg_collectors_day      47
avg_attacks_collector_day       38
total_good_attacks      727410  63.96%

---
Bogon Summary

bogon block     attacks % of attacks
0.0.0.0/7       65      0.01
2.0.0.0/8       3       0.00
5.0.0.0/8       3       0.00
10.0.0.0/8      8794    1.21
23.0.0.0/8      4       0.00
27.0.0.0/8      7       0.00
92.0.0.0/6      101     0.01
100.0.0.0/6     374     0.05
104.0.0.0/5     303     0.04
112.0.0.0/5     775     0.11
120.0.0.0/8     45      0.01
127.0.0.0/8     6       0.00
172.16.0.0/12   3646    0.50
174.0.0.0/7     1       0.00
176.0.0.0/5     1       0.00
192.168.0.0/16  7451    1.02
223.0.0.0/8     10      0.00
224.0.0.0/3     8       0.00

bogonTotal      21597   2.97





More information about the NANOG mailing list