North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Is it time to abandon bogon prefix filters?

  • From: Danny McPherson
  • Date: Fri Aug 15 00:10:25 2008

On Aug 6, 2008, at 9:01 AM, Randy Bush wrote:

serious curiosity:

what is the proportion of bad stuff coming from unallocated space vs
allocated space? real measurements, please. and are there longitudinal
data on this?

are the uw folk, gatech, vern, ... measuring? 

Some data from our anonymous stats program
(currently ~90 ISPs) included below.  In short,
~3% of 727k attacks we've seen over the last
631 days employed bogon source addresses.

(definition of what constitutes "attack" is subjected to
reporting participant operational policy, but these are
primarily rate-based DDoS attacks)

-danny

---
General Statistics

total_days      631
total_attacks   1137265
avg_attacks_day 1802
avg_collectors_day      47
avg_attacks_collector_day       38
total_good_attacks      727410  63.96%

---
Bogon Summary

bogon block     attacks % of attacks
0.0.0.0/7       65      0.01
2.0.0.0/8       3       0.00
5.0.0.0/8       3       0.00
10.0.0.0/8      8794    1.21
23.0.0.0/8      4       0.00
27.0.0.0/8      7       0.00
92.0.0.0/6      101     0.01
100.0.0.0/6     374     0.05
104.0.0.0/5     303     0.04
112.0.0.0/5     775     0.11
120.0.0.0/8     45      0.01
127.0.0.0/8     6       0.00
172.16.0.0/12   3646    0.50
174.0.0.0/7     1       0.00
176.0.0.0/5     1       0.00
192.168.0.0/16  7451    1.02
223.0.0.0/8     10      0.00
224.0.0.0/3     8       0.00

bogonTotal 21597 2.97