Re: Is it time to abandon bogon prefix filters?

["Robert E. Seastrom" <rs () seastrom com>]

Randy Bush <randy () psg com> writes:

> > > How much does it help to filter the bogons? In one study conducted by
> > > Rob Thomas of a frequently attacked site, fully 60% of the naughty
> > > packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.)
> >
> > Stated another way, you can get 60% success on bogon filtering by
> > ignoring the free pool
>
> if 127.1.2.3 and 0.5.4.3 are in the free pool, we have a few more /8s in
> the bank then we thought, eh? :)

I guess I didn't really word that clearly.

My point was that by not including the free pool in your candidates
for filtering (i.e., only filtering out packets from addresses that
will never be allocated or are permanently reserved such as 1918
space), you're only sacrificing 40% of your likely hits...  and that
number is going down over time.  Why not just cut to the chase and
make a filter that will never go stale, take any possible lumps on the
bogus packet announcement side, and collect handsomely on the
operational side?

> btw, patrick neglected the last sentences of that paragraph, which made
> me wonder what rob would actually say.  luckily, in response to my post,
> rob replied that he/they would try to get some useful measures in the
> near term.  i am patient.

I read that thrice and thought "wtf?" twice, until I properly
dereferenced "rob" to "robt", not "rs".  Heh.

> but your post makes me inclined to beg that he/that he have a few taxa
> within the bogon space.

Come, come, elucidate your thoughts.

-r