Home page logo
/

nanog logo nanog mailing list archives

Re: do bogon filters still help?
From: Edward Lewis <Ed.Lewis () neustar biz>
Date: Wed, 11 Jan 2006 13:16:43 -0500


No data, but I thought I should add...RFC 3330 "Special-Use IPv4 Addresses" lists the "obvious stuff." I just went through an exercise in de-bogonizing and needed that reference. [http://www.ietf.org/rfc/rfc3330.txt]

Be careful though. It lists 24.0.0.0/8 as "special," explaining that this went to cable operators (and eventually administered via ARIN). So don't just use the Summary Table in section 3 blindly.

At 13:03 -0500 1/11/06, Steven M. Bellovin wrote:
Every time IANA allocates new prefixes, we're treated to complaints about
sites that are not reachable because they're in the new space and some
places haven't updated their bogon filters.  My question is this:  have we
reached a point where the bogon filters are causing more pain than they're
worth?

The Team Cymru web page (http://www.cymru.com/Bogons/index.html) gives
some justification, but I think the question should be revisited.  First,
as the page (and the associated presentation) note, most of the
benefit comes from filtering obvious stuff -- 0/8, 127/8, and
"class" D and E source addresses.  Second, the study is about 5
years old, maybe more; attack patterns have changed since then.
Third, considerably more address space has been allocated; this
means that the percentage of address space that can be considered bogus is
significantly smaller.  Possibly, there are more sites doing edge
filtering, but I'd hate to count on that.

So -- I'd like people to re-examine the question.  Does anyone have more
recent data on the frequency of bogons as a percentage of attack
packets?  What would that number look like if you filtered just the
obvious -- the ranges given above, plus the RFC 1918 prefixes?  Are
your defenses against non-spoofed attacks really helped by the extra
filtering?

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Inactionable unintelligence is bliss.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]