On Sun, 24 Aug 2008, Tomas L. Byrnes wrote:
You're missing one of the basic issues with bogon sources: they are
often advertised bogons, IE the bad guy DOES care about getting the
packets back, and has, in fact, created a way to do so.
This is usually VERY BAD traffic, and EVEN WORSE if a user
, Bogon filtering has value beyond mere spoofed source rejection.
-Original Message-
From: Sean Donelan [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 21, 2008 5:19 PM
To: NANOG list
Subject: Re: Is it time to abandon bogon prefix filters?
On Mon, 18 Aug 2008, Danny McPherson
On Sun, 24 Aug 2008 23:21:23 PDT, Tomas L. Byrnes said:
You're missing one of the basic issues with bogon sources: they are
often advertised bogons, IE the bad guy DOES care about getting the
packets back, and has, in fact, created a way to do so.
But if you've seen a BGP announcement with a
[EMAIL PROTECTED] wrote:
On Sun, 24 Aug 2008 23:21:23 PDT, Tomas L. Byrnes said:
You're missing one of the basic issues with bogon sources: they are
often advertised bogons, IE the bad guy DOES care about getting the
packets back, and has, in fact, created a way to do so.
But if you've seen a
On Thu, Aug 21, 2008 at 08:03:19PM -0400, Sean Donelan wrote:
On Tue, 19 Aug 2008, Kevin Loch wrote:
While you're at it, you also placed the reachable-via rx on
all your customer interfaces. If you're paranoid, start with the 'any'
rpf and then move to the strict rpf. The strict rpf also
On Aug 25, 2008, at 10:22 AM, Jared Mauch wrote:
On Thu, Aug 21, 2008 at 08:03:19PM -0400, Sean Donelan wrote:
On Tue, 19 Aug 2008, Kevin Loch wrote:
While you're at it, you also placed the reachable-via rx on
all your customer interfaces. If you're paranoid, start with the
'any'
On Mon, 25 Aug 2008 09:38:00 EDT, Chris Marlatt said:
IIRC bogon is specific to unallocated space. Whether it be advertised
or not should not matter.
Right. Tell that to everybody who's ever been at the wrong end of a bogon
filter for 69/8, 70/8, 71/8...
I'll go out on a limb and say that
In article [EMAIL PROTECTED] you write:
On Aug 25, 2008, at 10:22 AM, Jared Mauch wrote:
On Thu, Aug 21, 2008 at 08:03:19PM -0400, Sean Donelan wrote:
With all the concern about DNS cache integrity, network abuse, etc..
networks that are not taking afirmative action to implement better
On Aug 20, 2008, at 7:00 AM, Kevin Loch wrote:
It doesn't look like the feasible paths rpf handles the situation
where
your bgp customer is not announcing all or any of their prefixes to
you.
This can be done for TE or debugging an inbound routing
issue. Announcing prefixes to me and then
On Tue, 19 Aug 2008, Kevin Loch wrote:
While you're at it, you also placed the reachable-via rx on
all your customer interfaces. If you're paranoid, start with the 'any'
rpf and then move to the strict rpf. The strict rpf also helps with
routing loops.
Be careful not to enable strict
On Mon, 18 Aug 2008, Danny McPherson wrote:
All the interesting attacks today that employ spoofing (and the
majority of the less-interesting ones that employ spoofing) are
usually relying on existence of the source as part of the attack
vector (e.g., DNS cache poisoning, BGP TCP RST attacks,
DNS
Pekka Savola wrote:
On Tue, 19 Aug 2008, Kevin Loch wrote:
While you're at it, you also placed the reachable-via rx on
all your customer interfaces. If you're paranoid, start with the 'any'
rpf and then move to the strict rpf. The strict rpf also helps with
routing loops.
Be careful
Jared Mauch wrote:
While you're at it, you also placed the reachable-via rx on
all your customer interfaces. If you're paranoid, start with the 'any'
rpf and then move to the strict rpf. The strict rpf also helps with
routing loops.
Be careful not to enable strict rpf on multihomed
On Tue, 19 Aug 2008, Kevin Loch wrote:
While you're at it, you also placed the reachable-via rx on
all your customer interfaces. If you're paranoid, start with the 'any'
rpf and then move to the strict rpf. The strict rpf also helps with
routing loops.
Be careful not to enable
for my own use, i use m4, python and perl, and peval()
m4 is a macro processor that you probably should not bother
learning since you can do everything that it does by using
Python and regular expressions, or one of the Python parsing
modules. For instance PLY supports conditional lexing and
(Without an offline configuration generator, I postulate that
it can't be done.)
Doesn't everyone use an offline config generator these days?
After all, there is a lot more CPU power and database capacity
outside of the routers than there is inside.
--Michael Dillon
On Mon, Aug 18, 2008 at 09:51:20AM +0100, [EMAIL PROTECTED] wrote:
m4 is a macro processor that you probably should not bother
learning since you can do everything that it does by using Python
Oh, Abley is gonna have fun with this... and for the record, my money is
on Joe. He could probably
On Sun, Aug 17, 2008 at 07:57:25PM -0500, Pete Templin wrote:
Tomas L. Byrnes wrote:
Since there are ways to dynamically filter the bogons, using BGP or DNS,
I don't really see the need to stop doing so. If you're managing your
routing and firewall filters manually, you have bigger problems
Jared Mauch wrote:
On a router with full routes (ie: no default) the command
is:
Router(config-if)#ip verify unicast source reachable-via any
None of these suggestions (including the wisecrack ACLs) provide full
filtering:
If a miscreant originates a route in bogon space, their
On 19/08/2008, at 2:01 AM, Sam Stickland wrote:
I think you misunderstand the meaning of the ip verify unicasr
source reachable-via any command. When a packet arrives the router
will drop it if it doesn't have a valid return path for the source.
Since the source is a bogon, and routed to
Once upon a time, Sam Stickland [EMAIL PROTECTED] said:
I think you misunderstand the meaning of the ip verify unicasr source
reachable-via any command. When a packet arrives the router will drop
it if it doesn't have a valid return path for the source. Since the
source is a bogon, and
Message: 3
Date: Mon, 18 Aug 2008 08:21:38 -0500
From: Pete Templin [EMAIL PROTECTED]
Subject: Re: Is it time to abandon bogon prefix filters?
None of these suggestions (including the wisecrack ACLs) provide full
filtering:
If a miscreant originates a route in bogon space, their transit
: Is it time to abandon bogon prefix filters?
Once upon a time, Sam Stickland
[EMAIL PROTECTED] said:
I think you misunderstand the meaning of the ip verify
unicasr source
reachable-via any command. When a packet arrives the
router will drop
it if it doesn't have a valid return path
On Aug 18, 2008, at 6:33 AM, Jared Mauch wrote:
On a router with full routes (ie: no default) the command
is:
Router(config-if)#ip verify unicast source reachable-via any
Go ahead and try it out. you can view the resulting
drop counter via the 'show ip int x/y' command.
15, 2008 5:23 AM
To: Randy Bush
Cc: NANOG list
Subject: Re: Is it time to abandon bogon prefix filters?
Randy Bush [EMAIL PROTECTED] writes:
bogon block attacks % of attacks
0.0.0.0/7 65 0.01
2.0.0.0/8 3 0.00
5.0.0.0/8 3 0.00
10.0.0.0/8
Team Cymru has been doing this for routers forever.
-Original Message-
From: Sean Donelan [mailto:[EMAIL PROTECTED]
Sent: Friday, August 15, 2008 10:07 AM
To: Steven M. Bellovin
Cc: NANOG list
Subject: Re: Is it time to abandon bogon prefix filters?
On Fri, 15 Aug 2008, Steven M
i contend that all one's routers should be rigorously
configured as programmatically as possible.
What sort of tools do you use to facilitate this?
ntt/verio, level(3), ... have sophisticated locally developed systems.
they see these as competitive advantage, so sharing is extremely
unlikely.
Randy Bush [EMAIL PROTECTED] writes:
bogon block attacks % of attacks
0.0.0.0/7 65 0.01
2.0.0.0/8 3 0.00
5.0.0.0/8 3 0.00
10.0.0.0/8 87941.21
23.0.0.0/8 4 0.00
27.0.0.0/8 7 0.00
92.0.0.0/6 101 0.01
In other words, our earlier estimate of 60% was way off... you can
get 92.1% effectiveness at bogon filtering by just dropping 1918
addresses, a filter that you will never have to change.
my read is that the 60% was an alleged 60% of attacks came from *all*
bogon space. this now seems in the
On Aug 15, 2008, at 9:26 AM, Randy Bush wrote:
In other words, our earlier estimate of 60% was way off... you can
get 92.1% effectiveness at bogon filtering by just dropping 1918
addresses, a filter that you will never have to change.
my read is that the 60% was an alleged 60% of attacks
Randy Bush [EMAIL PROTECTED] writes:
In other words, our earlier estimate of 60% was way off... you can
get 92.1% effectiveness at bogon filtering by just dropping 1918
addresses, a filter that you will never have to change.
my read is that the 60% was an alleged 60% of attacks came from
In other words, our earlier estimate of 60% was way off... you can
get 92.1% effectiveness at bogon filtering by just dropping 1918
addresses, a filter that you will never have to change.
my read is that the 60% was an alleged 60% of attacks came from *all*
bogon space. this now seems in
On Fri, 15 Aug 2008, Robert E. Seastrom wrote:
so is there any case to be made for filtering bogons on
upstream/peering ingress at all anymore?
Depends on where and how.
On highly managed routers at highly managed interconnection points around
the Internet, having some basic packet hygiene
On Fri, 15 Aug 2008 09:49:38 -0400 (EDT)
Sean Donelan [EMAIL PROTECTED] wrote:
On Fri, 15 Aug 2008, Randy Bush wrote:
my read is that the 60% was an alleged 60% of attacks came from
*all* bogon space. this now seems in the low single digit
percentge. of that, the majority is from 1918
On Fri, 15 Aug 2008, Steven M. Bellovin wrote:
Martians plus 1918 space, I'd say, though that requires knowing which
are border interfaces.
Whether you include or exclude rfc1918 addresses is another issue. Whack
the martians first :-)
Unfortunately, enough ISPs use rfc1918 addresses on
Sean Donelan [EMAIL PROTECTED] writes:
For unmanaged and semi-managed routers, I'd suggest strict out-bound
packet controls (i.e. be conservative in what you send) because you
already need to make operational updates when they change. But
consider using inbound controls that require less
Sean Donelan [EMAIL PROTECTED] writes:
On Fri, 15 Aug 2008, Robert E. Seastrom wrote:
so is there any case to be made for filtering bogons on
upstream/peering ingress at all anymore?
Depends on where and how.
On highly managed routers at highly managed interconnection points around
the
Again, I think bogon filters are a bad idea for unmanaged or
semi-managed routers (or inclusion as a default in anything,
i.e. Cisco's auto-secure).
You make a very good point about the difference between routers that
are being routinely maintained by highly clueful people and routers
that
as a mutual friend who pretends he does not read nanog emailed privately
rfc1918 filters, like bcp38 filters, could be construed as topological
assertions rather than bogon filters per se. certainly they are for
edge routers, but even in the dfz, i don't think we're in rfc 1918
space anymore,
Randy Bush wrote:
in the field != untouched/unloved
i contend that all one's routers should be rigorously configured as
programmatically as possible.
It seems to me that those are the routers where the filtering of both
packets and routes is easiest and most effective. If every such router
Steven M. Bellovin [EMAIL PROTECTED] writes:
Security? Remember that availability is a security issue, too.
It never ceases to amaze me how many security people walk around
oblivious to this basic notion.
-r
Robert E. Seastrom wrote:
Steven M. Bellovin [EMAIL PROTECTED] writes:
Security? Remember that availability is a security issue, too.
It never ceases to amaze me how many security people walk around
oblivious to this basic notion.
But of course! The most secure object is one nobody knows
Randy Bush [EMAIL PROTECTED] writes:
Again, I think bogon filters are a bad idea for unmanaged or
semi-managed routers (or inclusion as a default in anything,
i.e. Cisco's auto-secure).
You make a very good point about the difference between routers that
are being routinely maintained by
Not sure what you mean by this, but the painful reality is that most
stuff, once deployed, gets promptly forgotten about, much the same as
you might ignore a wall wart power supply under your desk until it
started smelling funny or stopped delivering electricity. Thus, I
contend that one's
Randy Bush [EMAIL PROTECTED] writes:
Not sure what you mean by this, but the painful reality is that most
stuff, once deployed, gets promptly forgotten about, much the same as
you might ignore a wall wart power supply under your desk until it
started smelling funny or stopped delivering
On Fri, 15 Aug 2008 08:56:27 -0700
Randy Bush [EMAIL PROTECTED] wrote:
Not sure what you mean by this, but the painful reality is that most
stuff, once deployed, gets promptly forgotten about, much the same
as you might ignore a wall wart power supply under your desk until
it started
On Fri, 15 Aug 2008, Steven M. Bellovin wrote:
and i am saying that you should use a router configuration *system*
that avoids ticking time bombs. no router should be neglected and
unloved.
That, I think, is why he distinguished between routers run by highly
clueful people and routers run by
Hi Randy,
.-- My secret spy satellite informs me that at Thu, 07 Aug 2008, Randy Bush
wrote:
serious curiosity:
what is the proportion of bad stuff coming from unallocated space vs
allocated space? real measurements, please. and are there longitudinal
data on this?
are the uw folk,
On Aug 6, 2008, at 9:01 AM, Randy Bush wrote:
serious curiosity:
what is the proportion of bad stuff coming from unallocated space vs
allocated space? real measurements, please. and are there
longitudinal
data on this?
are the uw folk, gatech, vern, ... measuring?
Some data from our
bogon block attacks % of attacks
0.0.0.0/7 65 0.01
2.0.0.0/8 3 0.00
5.0.0.0/8 3 0.00
10.0.0.0/8 87941.21
23.0.0.0/8 4 0.00
27.0.0.0/8 7 0.00
92.0.0.0/6 101 0.01
100.0.0.0/6 374 0.05
104.0.0.0/5 303
On Aug 6, 2008, at 12:01 PM, Sean Donelan wrote:
Attacks or misconfigured leaks?
Leaks of RFC1918 stuff is pretty common, just ask any of the root
server operators how many packets they see from RFC1918 leaking
networks or do a
traceroute across several residential cable network
Patrick W. Gilmore wrote:
Filter your bogons. But do it in an automated fashion, from a trusted
source.
Of course, I recommend Team Cymru, which has a most sterling record.
Nearly perfect (other than the fact they still recommend MD5 on BGP
sessions :).
How can you recommend Team Cymru,
On Aug 7, 2008, at 2:04 PM, Pete Templin wrote:
Patrick W. Gilmore wrote:
Filter your bogons. But do it in an automated fashion, from a
trusted source.
Of course, I recommend Team Cymru, which has a most sterling
record. Nearly perfect (other than the fact they still recommend
MD5 on
Patrick W. Gilmore [EMAIL PROTECTED] writes:
How much does it help to filter the bogons? In one study conducted by
Rob Thomas of a frequently attacked site, fully 60% of the naughty
packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.)
Stated another way, you can get 60% success on
How much does it help to filter the bogons? In one study conducted by
Rob Thomas of a frequently attacked site, fully 60% of the naughty
packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.)
Stated another way, you can get 60% success on bogon filtering by
ignoring the free pool
if
Randy Bush [EMAIL PROTECTED] writes:
How much does it help to filter the bogons? In one study conducted by
Rob Thomas of a frequently attacked site, fully 60% of the naughty
packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.)
Stated another way, you can get 60% success on bogon
Hi, NANOG (he says with a shout)!
btw, patrick neglected the last sentences of that paragraph, which made
me wonder what rob would actually say. luckily, in response to my post,
rob replied that he/they would try to get some useful measures in the
near term. i am patient.
Yep yep, have some
[Just a correction because Randy attributed something to me that I
didn't do.]
On Aug 7, 2008, at 4:14 PM, Randy Bush wrote:
btw, patrick neglected the last sentences of that paragraph, which
made
me wonder what rob would actually say. luckily, in response to my
post,
rob replied that
On Aug 7, 2008, at 5:35 PM, Robert E. Seastrom wrote:
Randy Bush [EMAIL PROTECTED] writes:
How much does it help to filter the bogons? In one study
conducted by
Rob Thomas of a frequently attacked site, fully 60% of the naughty
packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.)
I guess I parsed that differently than you did. When he said fully 60%
of the naughty packets were obvious bogons, I read that as meaning 60%
of all bad packets (bogon-sourced or otherwise) were from bogon space.
That's correct.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
rob,
If the source of a scan or probe is a bogon, we tag it that way in our
data store. I went back to 2008-01 and found the following percentages
of bogons in our data:
2008-01: 0.001095262%
2008-02: 0.001759343%
2008-03: 0.001619555%
2008-04: 0.001433908%
2008-05:
* [EMAIL PROTECTED] (Randy Bush) [Fri 08 Aug 2008, 00:59 CEST]:
rob,
If the source of a scan or probe is a bogon, we tag it that way in our
data store. I went back to 2008-01 and found the following percentages
of bogons in our data:
[..]
2008-08: 0.001258054% (thus far)
this is an
Hey, Randy.
this is an extremely far cry from 60%. what am i not understanding?
There are a few factors at work here.
One, the 60% figure was from 2001-03-16. There were more bogons then,
and our sundry measures saw a lot more malevolence from bogon space.
A popular belief in the
This is scanning of darknets - usually you're interested in what comes
back, i.e. can you 0wn it? so src has to be valid.
Yep yep.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, Out of coffee!);
Bogon filters made a lot of sense when most of the Internet was
bogons. Back when 5% of the IP space was allocated blocking the
other 95% was an extremely useful endevour. However, by the same
logic as we get to 80-90% used, blocking the 20-10% unused is
reaching diminishing returns; and at the
to abandon bogon prefix filters?
Bogon filters made a lot of sense when most of the Internet was
bogons. Back when 5% of the IP space was allocated blocking the
other 95% was an extremely useful endevour. However, by the same
logic as we get to 80-90% used, blocking the 20-10% unused is
reaching
This makes sense especially for static filters. Automated feeds, such
as the bogon route-server or DNS zones, leaves folks with options.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, Out of coffee!);
On Aug 6, 2008, at 10:28 AM, Rob Thomas wrote:
This makes sense especially for static filters. Automated feeds,
such as the bogon route-server or DNS zones, leaves folks with
options.
Honestly, I don't believe the 80/20 rules applies here.
Until all transit networks are willing to
Until all transit networks are willing to strictly filter their
downstreams (and themselves!), if there is any unused space (note I said
unused, not unallocated), the miscreants will use it.
serious curiosity:
what is the proportion of bad stuff coming from unallocated space vs
allocated
serious curiosity:
what is the proportion of bad stuff coming from unallocated space vs
allocated space? real measurements, please. and are there longitudinal
data on this?
Let me see what we can produce in the way of data. I'll just count
2008, though I could go back further if there's
Randy Bush wrote:
serious curiosity:
what is the proportion of bad stuff coming from unallocated space vs
allocated space? real measurements, please. and are there longitudinal
data on this?
are the uw folk, gatech, vern, ... measuring?
I still have 2 of my borders using an inbound ACL to
Leo Bicknell wrote:
Have bogon filters outlived their use? Is it time to recommend people
go to a simpler bogon filter (e.g. no 1918, Class D, Class E) that
doesn't need to be updated as frequently?
In my opinion no; BOGON filters are still very useful. Back when only
5% of the IP space was
I see a number of hits on those entries, especially on 94/8. and 0/8.
You do know that 94/8 has been assigned to the RIPE NCC, right? :-)
Cheers,
Rob
Leo Bicknell wrote:
Have bogon filters outlived their use? Is it time to recommend people
go to a simpler bogon filter (e.g. no 1918, Class D, Class E) that
doesn't need to be updated as frequently?
Seems like filtering against those could be done on the backplane, so to
speak.
One of the
Rob Evans wrote:
I see a number of hits on those entries, especially on 94/8. and 0/8.
You do know that 94/8 has been assigned to the RIPE NCC, right? :-)
I knew I should have logged into a production box to look at the ACL
counters. But no, I thought the former border that I was already
On Aug 6, 2008, at 11:46 AM, Laurence F. Sheldon, Jr. wrote:
Leo Bicknell wrote:
Have bogon filters outlived their use? Is it time to recommend
people
go to a simpler bogon filter (e.g. no 1918, Class D, Class E) that
doesn't need to be updated as frequently?
Seems like filtering against
. Gilmore [EMAIL PROTECTED]
Sent: Wednesday, August 06, 2008 11:59
To: NANOG list nanog@nanog.org
Subject: Re: Is it time to abandon bogon prefix filters?
On Aug 6, 2008, at 11:46 AM, Laurence F. Sheldon, Jr. wrote:
Leo Bicknell wrote:
Have bogon filters outlived their use? Is it time to recommend
this conversation about.) Nothing specific to Cymru.
--Patrick Darden
-Original Message-
From: Skywing [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 06, 2008 1:25 PM
To: Patrick W. Gilmore; NANOG list
Subject: RE: Is it time to abandon bogon prefix filters?
Then again, it does make Team
On Thu, 7 Aug 2008, Randy Bush wrote:
serious curiosity:
what is the proportion of bad stuff coming from unallocated space vs
allocated space? real measurements, please. and are there longitudinal
data on this?
are the uw folk, gatech, vern, ... measuring?
Attacks or misconfigured leaks?
Hi, Skywing.
We've had a few DDoS attacks and lots of scans and hack attempts. Some
of the DDoS attacks managed to wipe out our front-end. At no point were
the route-servers impacted, since we keep them well away from our
networks, widely distributed, and vigorously monitored (configs,
Skywing wrote:
Then again, it does make Team Cymru an attractive target for DoS or even
compromise if they can control routing policy to a degree for a large number of
disparate networks. Especially if it gets in the way of for-profit spammers.
(Not trying to knock them, just providing a for
81 matches
Mail list logo
