[106868] in North American Network Operators' Group
Re: Is it time to abandon bogon prefix filters?
daemon@ATHENA.MIT.EDU (Robert E. Seastrom)
Fri Aug 15 08:23:05 2008
To: Randy Bush <randy@psg.com>
From: "Robert E. Seastrom" <rs@seastrom.com>
Date: Fri, 15 Aug 2008 08:22:56 -0400
In-Reply-To: <48A50330.6060902@psg.com> (Randy Bush's message of "Thu,
14 Aug 2008 21:16:48 -0700")
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Randy Bush <randy@psg.com> writes:
>> bogon block attacks % of attacks
>> 0.0.0.0/7 65 0.01
>> 2.0.0.0/8 3 0.00
>> 5.0.0.0/8 3 0.00
>> 10.0.0.0/8 8794 1.21
>> 23.0.0.0/8 4 0.00
>> 27.0.0.0/8 7 0.00
>> 92.0.0.0/6 101 0.01
>> 100.0.0.0/6 374 0.05
>> 104.0.0.0/5 303 0.04
>> 112.0.0.0/5 775 0.11
>> 120.0.0.0/8 45 0.01
>> 127.0.0.0/8 6 0.00
>> 172.16.0.0/12 3646 0.50
>> 174.0.0.0/7 1 0.00
>> 176.0.0.0/5 1 0.00
>> 192.168.0.0/16 7451 1.02
>> 223.0.0.0/8 10 0.00
>> 224.0.0.0/3 8 0.00
>
> well, we can see why andree wanted to look behind the 1918 stuff. it is
> the elephant.
>
> thanks, danny!
>
> randy
In other words, our earlier estimate of 60% was way off... you can
get 92.1% effectiveness at bogon filtering by just dropping 1918
addresses, a filter that you will never have to change.
What's the operational cost trade-off with going after that remaining
7.9%? I'll betcha it's not justifiable. Maybe it's time to change
the best current practices we recommend so that they stop biting us in
the ass every time a chunk of our ever-dwindling pool of unused
address space goes into play.
My uncle used to tell this joke:
Q: Why did the man hit himself in the head with a hammer?
A: Because it felt so good when he stopped?
-r
