[93362] in North American Network Operators' Group
Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet
daemon@ATHENA.MIT.EDU (Michael.Dillon@btradianz.com)
Fri Nov 10 08:26:53 2006
In-Reply-To: <Pine.LNX.4.64.0611101311330.9926@hermes-1.csi.cam.ac.uk>
To: nanog@merit.edu
From: Michael.Dillon@btradianz.com
Date: Fri, 10 Nov 2006 13:24:58 +0000
Errors-To: owner-nanog@merit.edu
> > If there were some way to have a feed of real bogons,
> > i.e. address prefixes that are *KNOWN* to be bogus at
> > the point in time they are in the feed, that would be
> > useful for filtering. And it would likely be a best practice
> > to use such a feed.
> >
> > But at the present time, such a feed does not exist.
>
> http://www.cymru.com/BGP/bogon-rs.html
That is not a feed of routes that are known to be bogus.
That is a feed of routes that use addresses which have
not been allocated by IANA to an RIR. There are many
bogus routes that are not included in the Cymru feed.
For instance,
RIR address ranges that have not yet been allocated
ISP address ranges that have not yet been assigned
Assigned address ranges that are not announced by
the assignee. Address ranges from which a high
percentage of the traffic is SPAM, i.e. a network
owned by spammers.
I am arguing that it is better to start with a database
that allows several attributes, both negative and positive,
to be associated with address ranges. Then build a feed
from that, in fact, allow the user to specify which attributes
they want in their feed. One size fits all just doesn't work.
--Michael Dillon
