On Sun, 5 Dec 2004, Rob Thomas wrote:
Hi, NANOGers.
Hello,
] - That's only some 40% of all address space, so you need to be able to ] deal with the other 60% anyway. Why wouldn't whatever mechanism that ] deals with the 60% be unable to deal with the additional 40%?
In a study of one oft' scanned and attacked site, we found that 66.85% of the source IPs were bogon (RFC1918, unallocated, etc.). You can read about it at the following URL:
<http://www.cymru.com/Presentations/60days.ppt>
Filtering out bogons removes yet one more potential source of badness. Does it remove all badness? Of course not. We win by degrees. Removing any tool from the bad persons' toolkit is useful.
Does it really? When I perform any type of change the most important thing for me isn't what it will prevent/help for but the opposite; What it will not prevent/help. Blocking bogons will result in that attackers use existing netblocks instead. This will again result in more insecureness since any attack will have source addresses within valid space and some people will find it harder to determine the real sources, atleast in the beginning. So any type of bogon filter like that seems to me a total waste of time. It does not really prevent anything in the long run. You may have taken the can-opener away from this bad person, but you don't really need a can-opener to open the beer anyway... correct me if I'm wrong. Joergen Hovland ENK