Re: Checking bogon status of new address space
29/256 = 11% of the available address space. My argument is, if someone is scanning you from random source addresses blocking 10% of the scan traffic is reaching a point of very little return for the effort of updating the address lists, and as we all know it is getting smaller and smaller. Granted, if the filters aren't updated very frequently, they're pretty bad. But.. I would suggest, basically, filtering bogons is still great and pretty important, it serves as an ongoing deterrant against random unruly networks trying to pick up the unassigned addresses, or treating the space as Up for grabs just because some space happens to be unannounced (and unassigned). This is a behavioral effect: possibly fewer scans are attempted from those networks than would be attempted if nobody filtered bogons. As a result, the assumption of randomness may not be warranted; if bogons weren't filtered, there would be reasons hijackers would target them (not having a legitimate assignee to contend with); 10% of the space doesn't mean 10% of the scans; it could mean 40% of the scans, if enough scanners had a policy of preferring to scan from unassigned space. With looming IP exhaustion it's possibly even more important... I'd be worried about this scenario: APNIC denied your /12 request? No problem... pick a random bogon from the last 30 unassigned /8s and somehow sneak a line into your Tier1 provider contracts requiring they propagate only your announcements to the /12 The space might otherwise be very enticing for evil scanners to use, because it's easy pickings no legitimate assignee of the address space to hunt them down and send armies of lawyers on a raid... -- -J
RE: Checking bogon status of new address space
Please set up a pingable IP address for each new netblock and post it to NANOG with a request to have us ping it. It's not automated, but it's a good start. Frank -Original Message- From: Oliver Hookins [mailto:oliver.hook...@anchor.com.au] Sent: Friday, May 08, 2009 12:34 AM To: nanog@nanog.org Subject: Checking bogon status of new address space Hi, my company has just been allocated some new IPv4 address space, and I want to do some sort of automated testing to find out any ASs out there that haven't removed the /8 it's on from their bogon list (the allocation to our local registry only occurred in November last year). Has anybody attempted to do this? It is worth bothering? Currently I'm considering pulling out all the endpoint ASs out of the BGP table, finding at least one subnet for each of them and attempting to ping or reach other common ports on a single IP for each AS from our currently working address space, and then the new address space and comparing results. -- Regards, Oliver Hookins Anchor Systems
Re: Checking bogon status of new address space
On May 8, 2009, at 2:44 PM, Frank Bulk wrote: Please set up a pingable IP address for each new netblock and post it to NANOG with a request to have us ping it. It's not automated, but it's a good start. Frank You might also want to have a look at the RIPE NCC's beacon stuff: http://www.ripe.net/ris/docs/beacon.html I do recall them to use this mechanism to test new iana assignments (/ 8) they got. Grtx, Marco
Re: Checking bogon status of new address space
Having recently received some de-bogon'ed addressing in or about this March, I can tell you that the one problem I had was people that had not updated their Bind Bogon filters ( http://www.cymru.com/Documents/secure-bind-template.html) and so were not responding to requests from our address space, so we just moved our dns cache boxes back to our older Level3 address space. Took a while to figure that one out though. Steve 2009/5/7 Oliver Hookins oliver.hook...@anchor.com.au Hi, my company has just been allocated some new IPv4 address space, and I want to do some sort of automated testing to find out any ASs out there that haven't removed the /8 it's on from their bogon list (the allocation to our local registry only occurred in November last year). Has anybody attempted to do this? It is worth bothering? Currently I'm considering pulling out all the endpoint ASs out of the BGP table, finding at least one subnet for each of them and attempting to ping or reach other common ports on a single IP for each AS from our currently working address space, and then the new address space and comparing results. -- Regards, Oliver Hookins Anchor Systems
Re: Checking bogon status of new address space
Hi, Steve. Having recently received some de-bogon'ed addressing in or about this March, I can tell you that the one problem I had was people that had not updated their Bind Bogon filters ( http://www.cymru.com/Documents/secure-bind-template.html) ... This is the primary reason we removed the static bogon lists from our Secure [BIND|IOS|BGP] Templates. My thanks to Randy Bush (and a few other folks) for the suggestion. We still have the bogon list and the dynamic bogon route-servers. https://www.team-cymru.org/Services/Bogons/ Thanks, Rob. -- Rob Thomas Team Cymru http://www.team-cymru.org/ cmn_err(CEO_PANIC, Out of coffee!);
Re: Checking bogon status of new address space
In a message written on Fri, May 08, 2009 at 12:27:29PM -0500, Rob Thomas wrote: This is the primary reason we removed the static bogon lists from our Secure [BIND|IOS|BGP] Templates. My thanks to Randy Bush (and a few other folks) for the suggestion. I want to thank Team Cymru for their effort in maintaining this list over time, it's done a lot of people a lot of good. I would also like to recommend that it's time to completely update the text on http://www.cymru.com/Documents/bogon-list.html to reflect the new reality. Looking at http://www.cymru.com/Documents/bogon-bn-nonagg.txt (bogns, bit notation, not aggregated) I see there are only 39 entries in the list. Ten of these entries are martians, and should remain: 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 223.0.0.0/8 224.0.0.0/3 The other 29 are the unallocated /8's: 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 14.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 42.0.0.0/8 46.0.0.0/8 49.0.0.0/8 50.0.0.0/8 100.0.0.0/8 101.0.0.0/8 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 175.0.0.0/8 176.0.0.0/8 177.0.0.0/8 179.0.0.0/8 181.0.0.0/8 182.0.0.0/8 185.0.0.0/8 29/256 = 11% of the available address space. My argument is, if someone is scanning you from random source addresses blocking 10% of the scan traffic is reaching a point of very little return for the effort of updating the address lists, and as we all know it is getting smaller and smaller. To that end, I believe the recommendation should be to move to a martian-only filter over the next 12-24 months. This lines up with the time frame at which all /8's are likely to be allocated. Of course the full list of unallocated /8's should still be produced for those who want it, I'm not advocating that anything go away, just that I feel like we are at the point where the value of the list is lower than the effort to maintain it for the /average/ user of the list. I think this is in-line with the removal of the static bogon filters from the secure templates and would provide better advice to people reading the document for the first time. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgpA1EIIwa4Mu.pgp Description: PGP signature
Re: Checking bogon status of new address space
29/256 = 11% of the available address space. My argument is, if someone is scanning you from random source addresses blocking 10% of the scan traffic is reaching a point of very little return for the effort of updating the address lists, and as we all know it is getting smaller and smaller. True, but, random is not the only thing at issue here. It is popular for fraudulent web sites to set up within these unallocated /8s, and, having them rejected by route filters is a good thing. Having Team Cymru able to further deploy lists of addresses with no valid POCs will be an additional win in this arena, and, I encourage them to do so. To that end, I believe the recommendation should be to move to a martian-only filter over the next 12-24 months. This lines up with the time frame at which all /8's are likely to be allocated. Of course the full list of unallocated /8's should still be produced for those who want it, I'm not advocating that anything go away, just that I feel like we are at the point where the value of the list is lower than the effort to maintain it for the /average/ user of the list. I think that's premature at best, and, a boon to abuse at worst. Owen
RE: Checking bogon status of new address space
Ran across two different DNS hosters in the last two weeks that were blocking space that was de-bogoned 2.5 years ago... =( One started as an e-mail issue, the other as a web access. The e-mail issue showed up as the server sending the sender an I can't deliver this e-mail because I can't resolve the DNS info, and digs from the e-mail server confirmed the case. Testing from our old IP address space worked, so it was clear it was some kind of block based on IP address. The web browsing one was easy, too, because the customer was able to browse (when they had old DNS servers) and then couldn't (when we handed out new DNS servers). Since the e-mail issue was fresh in our mind, it was one of the first things we tested. I hope both DNS hosters took the time to update the rest of their bogon lists, too, not just remove our space from the bogon list. Frank -Original Message- From: Steve Dalberg [mailto:steve+na...@sendithere.com] Sent: Friday, May 08, 2009 9:45 AM To: Oliver Hookins Cc: nanog@nanog.org Subject: Re: Checking bogon status of new address space Having recently received some de-bogon'ed addressing in or about this March, I can tell you that the one problem I had was people that had not updated their Bind Bogon filters ( http://www.cymru.com/Documents/secure-bind-template.html) and so were not responding to requests from our address space, so we just moved our dns cache boxes back to our older Level3 address space. Took a while to figure that one out though. Steve 2009/5/7 Oliver Hookins oliver.hook...@anchor.com.au Hi, my company has just been allocated some new IPv4 address space, and I want to do some sort of automated testing to find out any ASs out there that haven't removed the /8 it's on from their bogon list (the allocation to our local registry only occurred in November last year). Has anybody attempted to do this? It is worth bothering? Currently I'm considering pulling out all the endpoint ASs out of the BGP table, finding at least one subnet for each of them and attempting to ping or reach other common ports on a single IP for each AS from our currently working address space, and then the new address space and comparing results. -- Regards, Oliver Hookins Anchor Systems
Checking bogon status of new address space
Hi, my company has just been allocated some new IPv4 address space, and I want to do some sort of automated testing to find out any ASs out there that haven't removed the /8 it's on from their bogon list (the allocation to our local registry only occurred in November last year). Has anybody attempted to do this? It is worth bothering? Currently I'm considering pulling out all the endpoint ASs out of the BGP table, finding at least one subnet for each of them and attempting to ping or reach other common ports on a single IP for each AS from our currently working address space, and then the new address space and comparing results. -- Regards, Oliver Hookins Anchor Systems
