Having recently read David Moore's paper on backscatter analysis, http://www.caida.org/outreach/papers/2001/BackScatter/ this data is interesting because most of these filters seem to be blocking an amount of traffic proportional to their size.
Extended IP access list 120 (Compiled) permit tcp any any established (243252113 matches) deny ip 0.0.0.0 1.255.255.255 any (825328 matches) ^^^ ^^^^^^ The netmask is twice as large and it blocks twice the traffic as the following three blocks.
deny ip 2.0.0.0 0.255.255.255 any (413487 matches) deny ip 5.0.0.0 0.255.255.255 any (410496 matches) deny ip 7.0.0.0 0.255.255.255 any (413621 matches) deny ip 10.0.0.0 0.255.255.255 any (1524547 matches) RFC 1918 space is different from the rest.
<some deleted to save space>
deny ip 72.0.0.0 7.255.255.255 any (3300703 matches) ^^^ ^^^^^^^ Eight times as big blocks eight times as much traffic
<some deleted to save space>
deny ip 224.0.0.0 31.255.255.255 any (13165320 matches) And the relationship holds even up here in the multicast range.
However, since you are seeing this on your ingress filters, this can't be backscatter. It must be incoming attack traffic and since the traffic is evenly distributed over the entire IPv4 address space, you can calculate how much attack traffic is still getting through by adding up the amount of IPv4 address space that you aren't filtering. If you would look at the destination IP addresses from some of the netblocks in the above list, then you could identify which of your machines (or your customer machines) are being attacked. This now provides enough information to identify attack traffic close to its source. If you would publish the destination addresses and time periods of the attacks then other people could look in their netflow data for traffic from bogon addresses to your destination. A central repository like dshield.org for this data would be interesting. Other than for idle curiosity, I think this is interesting because there is the real possibility of being able to identify an attacker and victim soon enough after an attack begins that the victim could issue legal warnings to the attacker and possibly follow up in the courts. I would think that after a few well-publicised cases, the owners of compromised machines used to initiate DDOS attacks will begin to secure their machines the way they should have in the first place. -- Michael Dillon