On 3/2/07, Roland Dobbins <rdobbins@cisco.com> wrote:
No one has done the digging required to answer any of these questions, unfortunately.
Can you get a valid answer to this based on the existence of BCP38? What I mean is, if your upstream is filtering bogons, you can't get a good read on the amount of "bad" traffic sourcing from "illegal" addresses. However, I'm sure it's there. If we stop filtering so-called "bad" addresses, I'm sure that the attacks from those addresses will increase when it's realized that the filters are gone. I agree with others in that you can't stop looking for old attacks just because they don't happen much anymore. But we can improve the ways we look. uRPF is definitely a dynamic option, but as I understood it, there were issues with using it on multi-homed networks with asynchronous routing. Granted, it has been some time since I've looked at uRPF. I think something like the Cymru bogon route server is great, but I'm not a very trusting person when it comes to something like that. I don't like giving up that level of control. Of course, at some point, I suppose have to trust something... I definitely believe in filtering both bogons and RFC 1918 space, it's just a management issue that has to be dealt with.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
-- Jason 'XenoPhage' Frisvold XenoPhage0@gmail.com http://blog.godshell.com