Is it time to abandon bogon prefix filters?

Sat Aug 16 17:53:51 UTC 2008

Since there are ways to dynamically filter the bogons, using BGP or DNS,
I don't really see the need to stop doing so. If you're managing your
routing and firewall filters manually, you have bigger problems than the
release of Bogon space. 

It's not just the number of attacks that is the issue, but the potential
severity of them.

Traffic sourced from Bogon space (REAL Bogon space) is 100% guaranteed
to be traffic you DON'T want to receive. It could be advertised bogon
space, in which case it is likely criminal, and thus something you
REALLY don't want to see.

Prioritization of defense effort is based on a product of probability
and severity divided by a factor that takes the cost and unfavorable
consequences of the mitigation strategy into account. For any given
threat, you can choose methods that decrease or increase any factor, and
address those with the highest payoff first.

An example would be Thermonuclear attack: low probability, very high
severity, with fairly significant cost and unpleasant side consequences,
yet the result, total annihilation, is so high that we have ICBMs,
Submarines, Bombers, and ABM technology, which taken together cost a lot
more than the efforts spent on blocking SPAM, which is very probable,
but unlikely to kill anyone.

Applying Bogon filters, using dynamic sources, is a very low cost way to
block attacks that can be of high severity, while unlikely to have
adverse consequences, and so is a BCP.

Filtering RFC1918 space at the edge has always been a BCP, independent
of Bogon filters. You neither want to accept if from outside, or let any
of yours leak. That should be part of the static filter set/null route
table in any router.

> -----Original Message-----
> From: Robert E. Seastrom [mailto:rs at seastrom.com] 
> Sent: Friday, August 15, 2008 5:23 AM
> To: Randy Bush
> Cc: NANOG list
> Subject: Re: Is it time to abandon bogon prefix filters?
> 
> 
> Randy Bush <randy at psg.com> writes:
> 
> >> bogon block     attacks % of attacks
> >> 0.0.0.0/7       65      0.01
> >> 2.0.0.0/8       3       0.00
> >> 5.0.0.0/8       3       0.00
> >> 10.0.0.0/8      8794    1.21
> >> 23.0.0.0/8      4       0.00
> >> 27.0.0.0/8      7       0.00
> >> 92.0.0.0/6      101     0.01
> >> 100.0.0.0/6     374     0.05
> >> 104.0.0.0/5     303     0.04
> >> 112.0.0.0/5     775     0.11
> >> 120.0.0.0/8     45      0.01
> >> 127.0.0.0/8     6       0.00
> >> 172.16.0.0/12   3646    0.50
> >> 174.0.0.0/7     1       0.00
> >> 176.0.0.0/5     1       0.00
> >> 192.168.0.0/16  7451    1.02
> >> 223.0.0.0/8     10      0.00
> >> 224.0.0.0/3     8       0.00
> >
> > well, we can see why andree wanted to look behind the 1918 
> stuff.  it 
> > is the elephant.
> >
> > thanks, danny!
> >
> > randy
> 
> In other words, our earlier estimate of 60% was way off...  
> you can get 92.1% effectiveness at bogon filtering by just 
> dropping 1918 addresses, a filter that you will never have to change.
> 
> What's the operational cost trade-off with going after that 
> remaining 7.9%?  I'll betcha it's not justifiable.  Maybe 
> it's time to change the best current practices we recommend 
> so that they stop biting us in the ass every time a chunk of 
> our ever-dwindling pool of unused address space goes into play.
> 
> My uncle used to tell this joke:
> 
> Q:  Why did the man hit himself in the head with a hammer?
> A:  Because it felt so good when he stopped?
> 
> -r
> 
> 
> 
> 