Hi, NANOGers. ] - That's only some 40% of all address space, so you need to be able to ] deal with the other 60% anyway. Why wouldn't whatever mechanism that ] deals with the 60% be unable to deal with the additional 40%? In a study of one oft' scanned and attacked site, we found that 66.85% of the source IPs were bogon (RFC1918, unallocated, etc.). You can read about it at the following URL: <http://www.cymru.com/Presentations/60days.ppt> Filtering out bogons removes yet one more potential source of badness. Does it remove all badness? Of course not. We win by degrees. Removing any tool from the bad persons' toolkit is useful. Those who track backscatter (the detritus of a spoofed source attack) are still seeing a healthy bit of traffic. While spoofing is less popular than it once was, it still remains a viable attack feature. Tools such as bang.c depend entirely on the ability to spoof. Not all spoofing uses bogon IP space. That's fine, we can reduce the alternatives bit by bit. Dealing with the other sources of badness is an exercise for other ideas. The Darknet Project is one such way to spot that badness. <http://www.cymru.com/Darknet/> How you choose to respond to that badness (report it to the source, report it to their upstreams, null route them, do nothing) is of course up to you. ] - (Loose) uRPF will buy you the exact same functionality and more ] without any upkeep. Even with uRPF one needs to keep the RIB clean. That means the use of filtering. We and others provide those as well: <http://www.cymru.com/Documents/secure-bgp-template.html> <http://www.cymru.com/gillsr/documents/junos-bgp-template.htm> <ftp://ftp-eng.cisco.com/cons/isp/security/Ingress-Prefix-Filter-Templates/> Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);