Hey, Randy.
this is an extremely far cry from 60%. what am i not understanding?
There are a few factors at work here. One, the 60% figure was from 2001-03-16. There were more bogons then, and our sundry measures saw a lot more malevolence from bogon space. A popular belief in the underground in 2001 was that spoofing in general, and the use of bogon space specifically, added a layer of protection for their collections of compromised hosts. In the age of masses of compromised routers, servers, and workstations, that's no longer a necessary defensive measure. At circa US $.04 each, bots are easily replaced. Compromised routers don't cost much more than that. Two, we really can't compare the two (time issues aside). The 60% figure came from a study of a frequently (as in daily) attacked web site. The figures I shared today came from our Darknets, which are more global and not limited to a certain type of service or site owner. Third, that site has been split into multiple sites (after about 2005) so unfortunately I can't easily reproduce the study from 2001. That is a real bummer. So I'm not comparing apples and apples. We also track DDoS attacks, malware propagation, and other Internet malevolence. As a shot from the hip, I'll say we see very little abuse from bogon IP space. I won't say we see no abuse from bogon space, however, so we keep bogons automatically filtered on our border. I like to keep the online criminal toolkit as sparse as I can. :)
and can you separate reserved (127, ...) and unallocated?
I can indeed, though it'll take me a bit to do so. Again, stay tuned. Thanks, Rob. -- Rob Thomas Team Cymru http://www.team-cymru.org/ cmn_err(CEO_PANIC, "Out of coffee!");