North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: Is it time to abandon bogon prefix filters?
Since there are ways to dynamically filter the bogons, using BGP or DNS, I don't really see the need to stop doing so. If you're managing your routing and firewall filters manually, you have bigger problems than the release of Bogon space. It's not just the number of attacks that is the issue, but the potential severity of them. Traffic sourced from Bogon space (REAL Bogon space) is 100% guaranteed to be traffic you DON'T want to receive. It could be advertised bogon space, in which case it is likely criminal, and thus something you REALLY don't want to see. Prioritization of defense effort is based on a product of probability and severity divided by a factor that takes the cost and unfavorable consequences of the mitigation strategy into account. For any given threat, you can choose methods that decrease or increase any factor, and address those with the highest payoff first. An example would be Thermonuclear attack: low probability, very high severity, with fairly significant cost and unpleasant side consequences, yet the result, total annihilation, is so high that we have ICBMs, Submarines, Bombers, and ABM technology, which taken together cost a lot more than the efforts spent on blocking SPAM, which is very probable, but unlikely to kill anyone. Applying Bogon filters, using dynamic sources, is a very low cost way to block attacks that can be of high severity, while unlikely to have adverse consequences, and so is a BCP. Filtering RFC1918 space at the edge has always been a BCP, independent of Bogon filters. You neither want to accept if from outside, or let any of yours leak. That should be part of the static filter set/null route table in any router. > -----Original Message----- > From: Robert E. Seastrom [mailto:rs@xxxxxxxxxxxx] > Sent: Friday, August 15, 2008 5:23 AM > To: Randy Bush > Cc: NANOG list > Subject: Re: Is it time to abandon bogon prefix filters? > > > Randy Bush <randy@xxxxxxx> writes: > > >> bogon block attacks % of attacks > >> 0.0.0.0/7 65 0.01 > >> 188.8.131.52/8 3 0.00 > >> 184.108.40.206/8 3 0.00 > >> 10.0.0.0/8 8794 1.21 > >> 220.127.116.11/8 4 0.00 > >> 18.104.22.168/8 7 0.00 > >> 22.214.171.124/6 101 0.01 > >> 126.96.36.199/6 374 0.05 > >> 188.8.131.52/5 303 0.04 > >> 184.108.40.206/5 775 0.11 > >> 220.127.116.11/8 45 0.01 > >> 127.0.0.0/8 6 0.00 > >> 172.16.0.0/12 3646 0.50 > >> 18.104.22.168/7 1 0.00 > >> 22.214.171.124/5 1 0.00 > >> 192.168.0.0/16 7451 1.02 > >> 126.96.36.199/8 10 0.00 > >> 188.8.131.52/3 8 0.00 > > > > well, we can see why andree wanted to look behind the 1918 > stuff. it > > is the elephant. > > > > thanks, danny! > > > > randy > > In other words, our earlier estimate of 60% was way off... > you can get 92.1% effectiveness at bogon filtering by just > dropping 1918 addresses, a filter that you will never have to change. > > What's the operational cost trade-off with going after that > remaining 7.9%? I'll betcha it's not justifiable. Maybe > it's time to change the best current practices we recommend > so that they stop biting us in the ass every time a chunk of > our ever-dwindling pool of unused address space goes into play. > > My uncle used to tell this joke: > > Q: Why did the man hit himself in the head with a hammer? > A: Because it felt so good when he stopped? > > -r > > > >