Is it time to abandon bogon prefix filters?
sean at donelan.com
Fri Aug 15 08:49:38 CDT 2008
On Fri, 15 Aug 2008, Randy Bush wrote:
> my read is that the 60% was an alleged 60% of attacks came from *all*
> bogon space. this now seems in the low single digit percentge. of
> that, the majority is from 1918 space.
Although I've disagreed with Rob about the configuration of bogon filters,
especially on unmanaged (or semi-managed) routers, it is important to
remember attacks and bogus packets are not naturally occuring phenomenon.
The attacker chooses the attack vector and target, usually based on
effectiveness and vulnerability but often on ease for the attacker.
Packet and especially source address hygiene can be very useful for highly
managed equipement. However, bogon filters have often become more a
source of recurring security consultant maintenance revenue than effective
packet controls. Understanding the operational maintenance demands is
also an important part of implementing good security controls.
For unmanaged and semi-managed routers, I'd suggest strict out-bound
packet controls (i.e. be conservative in what you send) because you
already need to make operational updates when they change. But consider
using inbound controls that require less extensive recurring maintenance,
e.g. only filtering martians (i.e. 0/8, 127/8, 255.255.255.255/32, etc)
instead of updating bogons (i.e. changing reserved and unallocated) every
More information about the NANOG