nanog mailing list archives
Re: Bogon filtering (don't ban me)
From: Rob Thomas <robt () cymru com>
Date: Sun, 5 Dec 2004 13:03:37 -0600 (CST)
Hi, NANOGers. ] - That's only some 40% of all address space, so you need to be able to ] deal with the other 60% anyway. Why wouldn't whatever mechanism that ] deals with the 60% be unable to deal with the additional 40%? In a study of one oft' scanned and attacked site, we found that 66.85% of the source IPs were bogon (RFC1918, unallocated, etc.). You can read about it at the following URL: <http://www.cymru.com/Presentations/60days.ppt> Filtering out bogons removes yet one more potential source of badness. Does it remove all badness? Of course not. We win by degrees. Removing any tool from the bad persons' toolkit is useful. Those who track backscatter (the detritus of a spoofed source attack) are still seeing a healthy bit of traffic. While spoofing is less popular than it once was, it still remains a viable attack feature. Tools such as bang.c depend entirely on the ability to spoof. Not all spoofing uses bogon IP space. That's fine, we can reduce the alternatives bit by bit. Dealing with the other sources of badness is an exercise for other ideas. The Darknet Project is one such way to spot that badness. <http://www.cymru.com/Darknet/> How you choose to respond to that badness (report it to the source, report it to their upstreams, null route them, do nothing) is of course up to you. ] - (Loose) uRPF will buy you the exact same functionality and more ] without any upkeep. Even with uRPF one needs to keep the RIB clean. That means the use of filtering. We and others provide those as well: <http://www.cymru.com/Documents/secure-bgp-template.html> <http://www.cymru.com/gillsr/documents/junos-bgp-template.htm> <ftp://ftp-eng.cisco.com/cons/isp/security/Ingress-Prefix-Filter-Templates/> Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Current thread:
- Re: Bogon filtering (don't ban me), (continued)
- Re: Bogon filtering (don't ban me) Cliff Albert (Dec 05)
- Re: Bogon filtering (don't ban me) Joe Abley (Dec 05)
- Re: Bogon filtering (don't ban me) Cliff Albert (Dec 05)
- Re: Bogon filtering (don't ban me) Ian Dickinson (Dec 05)
- Re: Bogon filtering (don't ban me) william(at)elan.net (Dec 05)
- Re: Bogon filtering (don't ban me) william(at)elan.net (Dec 05)
- Re: Bogon filtering (don't ban me) Joe Abley (Dec 05)
- Re: Bogon filtering (don't ban me) Joe Maimon (Dec 05)
- Re: Bogon filtering (don't ban me) william(at)elan.net (Dec 05)
- Re: Bogon filtering (don't ban me) Iljitsch van Beijnum (Dec 05)
- Re: Bogon filtering (don't ban me) Rob Thomas (Dec 05)
- Re: Bogon filtering (don't ban me) Jørgen Hovland (Dec 05)
- Re: Bogon filtering (don't ban me) Mikael Abrahamsson (Dec 05)
- Re: Bogon filtering (don't ban me) Patrick W Gilmore (Dec 05)
- Re: Bogon filtering (don't ban me) Iljitsch van Beijnum (Dec 05)
- Re: Bogon filtering (don't ban me) Cliff Albert (Dec 05)
- Re: Bogon filtering (don't ban me) Iljitsch van Beijnum (Dec 05)
- Re: Bogon filtering (don't ban me) Sean Donelan (Dec 05)
- Re: Bogon filtering (don't ban me) Rob Thomas (Dec 05)
- Re: Bogon filtering (don't ban me) Michael . Dillon (Dec 06)
- Re: Bogon filtering (don't ban me) Patrick W Gilmore (Dec 06)