[107066] in North American Network Operators' Group
RE: Is it time to abandon bogon prefix filters?
daemon@ATHENA.MIT.EDU (Tomas L. Byrnes)
Mon Aug 25 02:21:28 2008
Date: Sun, 24 Aug 2008 23:21:23 -0700
In-Reply-To: <200808212006370.32BF5B92.10507@clifden.donelan.com>
From: "Tomas L. Byrnes" <tomb@byrneit.net>
To: "Sean Donelan" <sean@donelan.com>,
"NANOG list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
You're missing one of the basic issues with bogon sources: they are
often advertised bogons, IE the bad guy DOES care about getting the
packets back, and has, in fact, created a way to do so.
This is usually VERY BAD traffic, and EVEN WORSE if a user goes TO a
site hosted in such IP space.
So, Bogon filtering has value beyond mere spoofed source rejection.
=20
> -----Original Message-----
> From: Sean Donelan [mailto:sean@donelan.com]=20
> Sent: Thursday, August 21, 2008 5:19 PM
> To: NANOG list
> Subject: Re: Is it time to abandon bogon prefix filters?
>=20
> On Mon, 18 Aug 2008, Danny McPherson wrote:
> > All the interesting attacks today that employ spoofing (and the=20
> > majority of the less-interesting ones that employ spoofing) are=20
> > usually relying on existence of the source as part of the attack=20
> > vector (e.g., DNS cache poisoning, BGP TCP RST attacks, DNS=20
> reflective=20
> > amplification attacks, etc..), and as a result, loose mode=20
> gives folks=20
> > a false sense of protection/action.
>=20
> Yep. Same thing with bogon filters. Any attacker which can=20
> source packets with bogon addresses, can by definition,=20
> source packets with any "valid" IP address too. Great as an=20
> academic exercise, but the bad guys are going to send evil=20
> packets without the evil bit nor using bogon addresses. If=20
> the bad guys are using spoofed addresses, they don't care=20
> about the reply packets to either valid or unallocated addresses.
>=20
> However, seeing packets with unallocated IP addresses on the=20
> Internet is evidence of a broken network. Just like when a=20
> network trips "max prefix" on a BGP session, shouldn't a=20
> broken network be shutdown until the problem is fixed. If=20
> you don't want to risk your network peers turning off the=20
> connections, make sure your network doesn't source spoofed packets.
>=20
>=20
>=20
