North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Bogon filtering (don't ban me)

  • From: Jørgen Hovland
  • Date: Sun Dec 05 14:58:28 2004

On Sun, 5 Dec 2004, Rob Thomas wrote:

>
> Hi, NANOGers.

Hello,

>
> ] - That's only some 40% of all address space, so you need to be able to
> ] deal with the other 60% anyway. Why wouldn't whatever mechanism that
> ] deals with the 60% be unable to deal with the additional 40%?
>
> In a study of one oft' scanned and attacked site, we found that
> 66.85% of the source IPs were bogon (RFC1918, unallocated, etc.).
> You can read about it at the following URL:
>
>    <http://www.cymru.com/Presentations/60days.ppt>
>
> Filtering out bogons removes yet one more potential source of
> badness.  Does it remove all badness?  Of course not.  We win
> by degrees.  Removing any tool from the bad persons' toolkit is
> useful.
>

Does it really?
When I perform any type of change the most important thing for me isn't
what it will prevent/help for but the opposite; What it will not prevent/help.
Blocking bogons will result in that attackers use existing netblocks
instead. This will again result in more insecureness since any attack will
have source addresses within valid space and some people will find it
harder to determine the real sources, atleast in the beginning.
So any type of bogon filter like that seems to me a total waste of time.
It does not really prevent anything in the long run.

You may have taken the can-opener away from this bad person, but you don't
really need a can-opener to open the beer anyway... correct me if I'm
wrong.

Joergen Hovland ENK