Is it time to abandon bogon prefix filters?

Danny McPherson danny at tcb.net
Fri Aug 15 04:55:17 UTC 2008


On Aug 6, 2008, at 12:01 PM, Sean Donelan wrote:
>
> Attacks or misconfigured leaks?
>
> Leaks of RFC1918 stuff is pretty common, just ask any of the root  
> server operators how many packets they see from RFC1918 leaking  
> networks or do a
> traceroute across several residential cable network backbones.
>
> Attacks aren't as common because there is enough (not 100%) anti- 
> spoofing (good) and/or bogon-filters (not as good) in different  
> parts of the Internet it requires more thought to launch a spoofed  
> DDOS than it does just to use tens of thousands of non-spoofed bots  
> to launch a DDOS.
>
> Arbor Networks has some data.

I shared some data on bogon source appearances in *observed*
attacks in another email.  Orthogonal of that, here's the current
Infrastructure Security Survey (again: see below for participation
information, if so inclined) totals for questions related to BCP 38
and uRPF application among respondents.   A pointer to a
complete set of data across ~70 ISPs from last years survey is
provided below.

(Note: it's my opinion that one should assume at least a slightly
more clue-dense respondent base than the larger network
operator pool - i.e., the actual BCP 38/uRPF numbers are likely
lower, and you're more clueful if you complete the survey :-)

-danny

-----
Self-classified respondent network type (approaching 50
responses):

Tier 1: 13.33%
Tier 2: 28.89%
Pure Content Network: 11.11%
Hosting Provider: 8.89%
Education or Academic Network: 13.33%
Enterprise or Hybrid Network: 2.22%
Other: 22.22%

---
Do you employ strict uRPF or BCP 38 on the dedicated customer edge of  
your network?

Yes: 51.11%
No: 33.33%
Other: 15.56%

---
Do you employ strict uRPF or BCP 38 style filters on the broadband  
edge of your network?

Yes: 40.00%
No: 33.33%
Other: 26.67%

---
Do you employ uRPF or BCP 38 style filters on the peering edge of your  
network?

Yes: 46.67%
No: 46.67%
Other: 6.67%

----------------------------
[snip]

Folks,
The 2008 Infrastructure Security Survey is up and available for
input.  You can register to complete the survey at this URL:

<https://www.tcb.net/survey/index.php?sid=19672&lang=en>

I've added many questions this time from past participants
of the survey, this should be evidenced throughout.  Thanks
to all those that reviewed and provided questions explicitly
for this edition.  The survey response window will be ~2
weeks.

We hope to make the results available by the end of September
at the latest.  Also, please recall that NO personally (or
organizationally) identifiable information will be shared in any
manner.

The 2007 edition of the survey is available here:

<http://www.tcb.net/wisp07.pdf>

Or on the Arbor web site (reg required):

<http://www.arbornetworks.com/report>

Thanks in advance for your participation!

-danny




More information about the NANOG mailing list