North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Bogon filtering (don't ban me)
On 5-dec-04, at 20:03, Rob Thomas wrote: ] - That's only some 40% of all address space, so you need to be able to Well, I didn't keep a running total, but I'd say that in the attacks that I've dealt with 80%+ used real addresses or something indistinguishable. I understand this is what most people see. So unless someone has data that indicates otherwise, I'll assume your experiences are an exception.In a study of one oft' scanned and attacked site, we found that 66.85% of the source IPs were bogon (RFC1918, unallocated, etc.). ...while at the same time introducing a new one: the risk of filters going un-updated. (Generally speaking. For a BGP feed from you this isn't much of a risk.)Filtering out bogons removes yet one more potential source of badness. ] - (Loose) uRPF will buy you the exact same functionality and more ] without any upkeep. Yes, but how do you do that without an authoritative prefix->AS mapping? (And good tools. I know there are some, but I find them too hard to work with.)Even with uRPF one needs to keep the RIB clean. Note though that so far, nobody has tried to inject bogon routes into the global routing table just so packets from bogon sources wouldn't be filtered. The reason we want this is because of address space hijacking (such as done by spammers) and configuration mistakes. So filtering at the /8 level as in the document linked above isn't really going to buy you much in practice.<http://www.cymru.com/Documents/secure-bgp-template.html>
|