nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is it time to abandon bogon prefix filters?

From: Andree Toonk <andree+nanog () toonk nl>
Date: Thu, 14 Aug 2008 19:04:01 +0200
Hi Randy,

.-- My secret spy satellite informs me that at Thu, 07 Aug 2008, Randy Bush wrote:


serious curiosity:

what is the proportion of bad stuff coming from unallocated space vs
allocated space?  real measurements, please.  and are there longitudinal
data on this?

are the uw folk, gatech, vern, ... measuring?


I did some measurements in The Netherlands (SURFnet) using netflow around 1,5
years ago.  During this project around 86 million 'Bogon flows' were analyzed. This was not
more then 0.1% (probably even lower) of all flows during that 1 week period.
The majority of these flows were actually from/to RFC1918 address space.

One of the things (amongst others)  we looked at was SMTP traffic from / to
bogons, to verify the theory that spammers announce a bogon prefix to sent spam. From the 86
million bogon flows analyzed, 12 SMTP flows were found, very minimal.
Other things we looked at, were type of traffic (applications) & protocols  and
the sources of those flows.
We saw some strange (interesting) things, but that was really just a few flows
in many many many milions of flows.

Anyways, if you're interested the research report can be found here:
http://www.toonk.nl/bogon-traffic-analysis.pdf
There's also a presentation http://www.toonk.nl/presentations.php

Cheers,
 Andree

--
 Andree Toonk
 http://www.toonk.ca/blog/
Previous By Date Next
Previous By Thread Next

Current thread: