On Sun, 5 Dec 2004, Rob Thomas wrote:
In a study of one oft' scanned and attacked site, we found that 66.85% of the source IPs were bogon (RFC1918, unallocated, etc.). You can read about it at the following URL:
One of the more annoying things has been Team Cymru munged "Unallocated" and "Martian" addresses together to create "Bogons." As your 2001 presentation indicates, 53.39% were from Class D and E space, which means about 13% were from "Unallocated" space. And of course about 34% from "Allocated" space. Protocol hygenie is good. Keeping martians out of the routing table and dropping packets with never valid source addresses is good. Unless the RFCs are changed, those IP addresses are extremely stable. The unfortunate use of the word "Bogon" has lead some less technical people to believe everything in the Team Cymru lists are the same. The problems with the Team Cymru lists occur because they include unallocated space in the same list in a recommended static router configuration file. For most users, router configuration files are very static. The configurations are created when they install the router, and rarely updated. Car commercials say "Do not attempt. Professional driver on closed course." Unless you are a professional router driver, using Team Cymru's suggested router configuration will hurt most average users. Which is a problem because a lot of the Team Cymru recommendations are good router hygenie. But I can't in good faith recommend people use the Team Cymru, because of those dangerous inclusions.