[106645] in North American Network Operators' Group
Re: Is it time to abandon bogon prefix filters?
daemon@ATHENA.MIT.EDU (Rob Thomas)
Thu Aug 7 17:41:32 2008
Date: Thu, 07 Aug 2008 16:38:47 -0500
From: Rob Thomas <robt@cymru.com>
To: Randy Bush <randy@psg.com>
In-Reply-To: <489B57B6.7030602@psg.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Hi, NANOG (he says with a shout)!
> btw, patrick neglected the last sentences of that paragraph, which made
> me wonder what rob would actually say. luckily, in response to my post,
> rob replied that he/they would try to get some useful measures in the
> near term. i am patient.
Yep yep, have some results at last. Sorry, the queries took a bit
longer than planned.
Note that the study I conducted which populated the "60 Days of Basic
Naughtiness" presentation is now years old. Such studies, like me,
don't necessarily age well. :)
This is not meant to replace a more comprehensive and clueful study by
the likes of Vern, Stefan, and the CAIDA crew. As folks may know we
have a large Darknet[1] project. In there we collect the scanning
activity of malware, backscatter, and the like. Often we can tie the
scanning pattern to a family of malware or maltool.
If the source of a scan or probe is a bogon, we tag it that way in our
data store. I went back to 2008-01 and found the following percentages
of bogons in our data:
2008-01: 0.001095262%
2008-02: 0.001759343%
2008-03: 0.001619555%
2008-04: 0.001433908%
2008-05: 0.001182351%
2008-06: 0.130534559%
2008-07: 0.002327683%
2008-08: 0.001258054% (thus far)
That's not a lot of bogon activity in the Darknets, though Darknets are
only one measure of malevolent traffic. Your mileage may vary, etc.
[1] <http://www.team-cymru.org/Services/darknets.html>
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
