Re: Is it time to abandon bogon prefix filters?

North American Network Operators Group

Re: Is it time to abandon bogon prefix filters?

From: Danny McPherson
Date: Fri Aug 15 00:55:40 2008

List-archive: <http://mailman.nanog.org/pipermail/nanog>
List-help: <mailto:[email protected]?subject=help>
List-id: North American Network Operators Group <nanog.nanog.org>
List-post: <mailto:[email protected]>
List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

On Aug 6, 2008, at 12:01 PM, Sean Donelan wrote:

Attacks or misconfigured leaks?

Leaks of RFC1918 stuff is pretty common, just ask any of the root server operators how many packets they see from RFC1918 leaking networks or do a traceroute across several residential cable network backbones.

Attacks aren't as common because there is enough (not 100%) anti- spoofing (good) and/or bogon-filters (not as good) in different parts of the Internet it requires more thought to launch a spoofed DDOS than it does just to use tens of thousands of non-spoofed bots to launch a DDOS.

Arbor Networks has some data.


I shared some data on bogon source appearances in *observed*
attacks in another email.  Orthogonal of that, here's the current
Infrastructure Security Survey (again: see below for participation
information, if so inclined) totals for questions related to BCP 38
and uRPF application among respondents.   A pointer to a
complete set of data across ~70 ISPs from last years survey is
provided below.

(Note: it's my opinion that one should assume at least a slightly
more clue-dense respondent base than the larger network
operator pool - i.e., the actual BCP 38/uRPF numbers are likely
lower, and you're more clueful if you complete the survey :-)

-danny

-----
Self-classified respondent network type (approaching 50
responses):

Tier 1: 13.33%
Tier 2: 28.89%
Pure Content Network: 11.11%
Hosting Provider: 8.89%
Education or Academic Network: 13.33%
Enterprise or Hybrid Network: 2.22%
Other: 22.22%

--- Do you employ strict uRPF or BCP 38 on the dedicated customer edge of your network?

Yes: 51.11%
No: 33.33%
Other: 15.56%

--- Do you employ strict uRPF or BCP 38 style filters on the broadband edge of your network?

Yes: 40.00%
No: 33.33%
Other: 26.67%

--- Do you employ uRPF or BCP 38 style filters on the peering edge of your network?

Yes: 46.67%
No: 46.67%
Other: 6.67%

----------------------------
[snip]

Folks,
The 2008 Infrastructure Security Survey is up and available for
input.  You can register to complete the survey at this URL:

<https://www.tcb.net/survey/index.php?sid=19672&lang=en>

I've added many questions this time from past participants
of the survey, this should be evidenced throughout.  Thanks
to all those that reviewed and provided questions explicitly
for this edition.  The survey response window will be ~2
weeks.

We hope to make the results available by the end of September
at the latest.  Also, please recall that NO personally (or
organizationally) identifiable information will be shared in any
manner.

The 2007 edition of the survey is available here:

<http://www.tcb.net/wisp07.pdf>

Or on the Arbor web site (reg required):

<http://www.arbornetworks.com/report>

Thanks in advance for your participation!

-danny

References:
- Out of Date Bogon Prefix Nick Downey
- Is it time to abandon bogon prefix filters? Leo Bicknell
- Re: Is it time to abandon bogon prefix filters? Rob Thomas
- Re: Is it time to abandon bogon prefix filters? Patrick W. Gilmore
- Re: Is it time to abandon bogon prefix filters? Randy Bush
- Re: Is it time to abandon bogon prefix filters? Sean Donelan

Prev by Date: Re: Is it time to abandon bogon prefix filters?
Next by Date: Re: Public shaming list for ISPs announcing other ISPs IP space by mistake
Date Index
Thread Index
Author Index
Historical