Is it time to abandon bogon prefix filters?

Tomas L. Byrnes tomb at byrneit.net
Mon Aug 25 01:21:23 CDT 2008


You're missing one of the basic issues with bogon sources: they are
often advertised bogons, IE the bad guy DOES care about getting the
packets back, and has, in fact, created a way to do so.

This is usually VERY BAD traffic, and EVEN WORSE if a user goes TO a
site hosted in such IP space.

So, Bogon filtering has value beyond mere spoofed source rejection.

 

> -----Original Message-----
> From: Sean Donelan [mailto:sean at donelan.com] 
> Sent: Thursday, August 21, 2008 5:19 PM
> To: NANOG list
> Subject: Re: Is it time to abandon bogon prefix filters?
> 
> On Mon, 18 Aug 2008, Danny McPherson wrote:
> > All the interesting attacks today that employ spoofing (and the 
> > majority of the less-interesting ones that employ spoofing) are 
> > usually relying on existence of the source as part of the attack 
> > vector (e.g., DNS cache poisoning, BGP TCP RST attacks, DNS 
> reflective 
> > amplification attacks, etc..), and as a result, loose mode 
> gives folks 
> > a false sense of protection/action.
> 
> Yep.  Same thing with bogon filters.  Any attacker which can 
> source packets with bogon addresses, can by definition, 
> source packets with any "valid" IP address too.  Great as an 
> academic exercise, but the bad guys are going to send evil 
> packets without the evil bit nor using bogon addresses.  If 
> the bad guys are using spoofed addresses, they don't care 
> about the reply packets to either valid or unallocated addresses.
> 
> However, seeing packets with unallocated IP addresses on the 
> Internet is evidence of a broken network.  Just like when a 
> network trips "max prefix" on a BGP session, shouldn't a 
> broken network be shutdown until the problem is fixed.  If 
> you don't want to risk your network peers turning off the 
> connections, make sure your network doesn't source spoofed packets.
> 
> 
> 




More information about the NANOG mailing list