North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Where are static bogon filters appropriate? was: Bogons

  • From: Jason Frisvold
  • Date: Sun Mar 04 15:52:29 2007
  • Dkim-signature: a=rsa-sha1; c=relaxed/relaxed;; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=J7oqC5xqnHk5MQoBbc74IEI4AuQz+hFOifRtBaggDrsjqdv3oQp0zpqIYlcREMlKvMc2zpePwqA47ryjuJi9QaTQIheb5yzDsjvF22YQ0yVwt6GodULlvr05+LhQzuRBrR5MLSHijzea+T0/FvPh8+8RFwIjTxU3qMZar/BJqJw=
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SlZq2IIXl8oolf9qkZnJHGCjZ7ODENZlfRnejvu8Rs5+OqxIj/CNHgJTpfVoJi1lxKjZ+yjuygoTNxb84ndyeHaYLPZ5XHfXO4Db3dFAE28SExTbd0XoVDlJT4aEFFVOGLA/aD8yUphkaKmc7RnIukcxZF/szFA4oZAbaCM39uA=

On 3/2/07, Roland Dobbins <[email protected]> wrote:
No one has done the digging required to answer any of these
questions, unfortunately.

Can you get a valid answer to this based on the existence of BCP38? What I mean is, if your upstream is filtering bogons, you can't get a good read on the amount of "bad" traffic sourcing from "illegal" addresses. However, I'm sure it's there. If we stop filtering so-called "bad" addresses, I'm sure that the attacks from those addresses will increase when it's realized that the filters are gone.

I agree with others in that you can't stop looking for old attacks
just because they don't happen much anymore.  But we can improve the
ways we look.  uRPF is definitely a dynamic option, but as I
understood it, there were issues with using it on multi-homed networks
with asynchronous routing.  Granted, it has been some time since I've
looked at uRPF.

I think something like the Cymru bogon route server is great, but I'm
not a very trusting person when it comes to something like that.  I
don't like giving up that level of control.  Of course, at some point,
I suppose have to trust something...

I definitely believe in filtering both bogons and RFC 1918 space, it's
just a management issue that has to be dealt with.

Roland Dobbins <[email protected]> // 408.527.6376 voice

-- Jason 'XenoPhage' Frisvold [email protected]