No data, but I thought I should add...RFC 3330 "Special-Use IPv4 Addresses" lists the "obvious stuff." I just went through an exercise in de-bogonizing and needed that reference. [http://www.ietf.org/rfc/rfc3330.txt] Be careful though. It lists 24.0.0.0/8 as "special," explaining that this went to cable operators (and eventually administered via ARIN). So don't just use the Summary Table in section 3 blindly. At 13:03 -0500 1/11/06, Steven M. Bellovin wrote:
Every time IANA allocates new prefixes, we're treated to complaints about sites that are not reachable because they're in the new space and some places haven't updated their bogon filters. My question is this: have we reached a point where the bogon filters are causing more pain than they're worth?
The Team Cymru web page (http://www.cymru.com/Bogons/index.html) gives some justification, but I think the question should be revisited. First, as the page (and the associated presentation) note, most of the benefit comes from filtering obvious stuff -- 0/8, 127/8, and "class" D and E source addresses. Second, the study is about 5 years old, maybe more; attack patterns have changed since then. Third, considerably more address space has been allocated; this means that the percentage of address space that can be considered bogus is significantly smaller. Possibly, there are more sites doing edge filtering, but I'd hate to count on that.
So -- I'd like people to re-examine the question. Does anyone have more recent data on the frequency of bogons as a percentage of attack packets? What would that number look like if you filtered just the obvious -- the ranges given above, plus the RFC 1918 prefixes? Are your defenses against non-spoofed attacks really helped by the extra filtering?
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Inactionable unintelligence is bliss.