[95179] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Where are static bogon filters appropriate? was: 96.2.0.0/16

daemon@ATHENA.MIT.EDU (Sean Donelan)
Sat Mar 3 21:56:42 2007

Date: Sat, 3 Mar 2007 21:55:43 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: Daniel Senie <dts@senie.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <7.0.1.0.2.20070302172409.06cbec00@senie.com>
Errors-To: owner-nanog@merit.edu


On Fri, 2 Mar 2007, Daniel Senie wrote:
> How do you know, if you're the one being attacked and you have no idea if the 
> originating network or their immediate upstream implemented BCP38? Shall we 
> just discard ingress filtering? If few attacks are using it today, should we 
> declare it no longer relevant? At the same time we should ask if we should be 
> x-raying shoes at the airport, since there's only been one guy who tried to 
> blow up his shoes. The larger security question is, "do you stop looking for 
> old threats simply because they're not the most common threats?" How many 
> CodeRed packets flow over the Internet on a typical day? I assure you it's 
> not zero.

Show me the data.

How many CodeRed packets originate from unallocated addresses?

Is the proposal actually effective at detecting or protecting against the 
threat?  Or is it just a wasted effort for show?

http://www.tsa.gov/press/happenings/kip_hawley_x-ray_remarks.shtm

Instead of dropping packets with unallocated sources addresses, perhaps 
backbones should shutdown interfaces they receive packets from 
unallocated address space.   Would this be more effective at both 
stopping the sources of unallocated addresses; as well as sources that 
spoof other addresses because the best way to prevent your interface from 
being shutdown by backbone operators is to be certain you only transmit 
packets with your source addresses.


home help back first fref pref prev next nref lref last post