On Mon, Jul 08, 2002 at 07:13:51AM -0500, jnelson wrote:
Looking for some statisitcs from some dataminers out there....
Bogon lists? How effective are they? DDoS scripts are abundant to those who seek them. Am I going to reep any rewards by taxing my edge routers an extra 25 lines of ACL? Who out there has some stats I can look at?
For better performance, turn on RPF loose at your borders. As for effectiveness, expect around a 40% drop in random source DoS. This may or may not be useful to you at all. When most people refer to bogon filtering, they're talking routes not packets. I suppose if someone was determined they could write a DoS which uses only valid source addresses, but there are two reasons why they don't: 1) Kiddies don't know and/or care, as long as they type ./ and you go down. 2) A fair amount of the overhead in a traditional raw socket high pps DoS is in the random number generation with every packet. In order to get a perfectly sourced DoS they would probably cross the point of diminishing returns where the overall packet rate falls below what they were generating before even minus RPF filters. Personally I'd almost rather keep the extra 40% of the attack and have the immediate cues and traceability provided by spotting obvious bogons coming in. Or use a Juniper, and do both. :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)