[49654] in North American Network Operators' Group
Re: rewars/benefit bogon filters
daemon@ATHENA.MIT.EDU (Richard A Steenbergen)
Mon Jul 8 11:36:23 2002
Date: Mon, 8 Jul 2002 11:31:36 -0400
From: Richard A Steenbergen <ras@e-gerbil.net>
To: jnelson <jnelson@rackspace.com>
Cc: nanog@nanog.org
In-Reply-To: <EEEIJIKHJEPPPBNOFKNJOEDFCAAA.jnelson@rackspace.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, Jul 08, 2002 at 07:13:51AM -0500, jnelson wrote:
> Looking for some statisitcs from some dataminers out there....
>
> Bogon lists? How effective are they? DDoS scripts are abundant to those who
> seek them. Am I going to reep any rewards by taxing my edge routers an extra
> 25 lines of ACL? Who out there has some stats I can look at?
For better performance, turn on RPF loose at your borders.
As for effectiveness, expect around a 40% drop in random source DoS. This
may or may not be useful to you at all. When most people refer to bogon
filtering, they're talking routes not packets.
I suppose if someone was determined they could write a DoS which uses only
valid source addresses, but there are two reasons why they don't:
1) Kiddies don't know and/or care, as long as they type ./ and you go down.
2) A fair amount of the overhead in a traditional raw socket high pps DoS
is in the random number generation with every packet. In order to get a
perfectly sourced DoS they would probably cross the point of
diminishing returns where the overall packet rate falls below what
they were generating before even minus RPF filters.
Personally I'd almost rather keep the extra 40% of the attack and have the
immediate cues and traceability provided by spotting obvious bogons coming
in. Or use a Juniper, and do both. :)
--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
