Re: Is it time to abandon bogon prefix filters?

[Sean Donelan <sean () donelan com>]

On Fri, 15 Aug 2008, Randy Bush wrote:
> my read is that the 60% was an alleged 60% of attacks came from *all*
> bogon space.  this now seems in the low single digit percentge.  of
> that, the majority is from 1918 space.

Although I've disagreed with Rob about the configuration of bogon filters, 
especially on unmanaged (or semi-managed) routers, it is important to 
remember attacks and bogus packets are not naturally occuring phenomenon. 
The attacker chooses the attack vector and target, usually based on 
effectiveness and vulnerability but often on ease for the attacker.

Packet and especially source address hygiene can be very useful for highly 
managed equipement.  However, bogon filters have often become more a 
source of recurring security consultant maintenance revenue than effective 
packet controls.  Understanding the operational maintenance demands is
also an important part of implementing good security controls.

For unmanaged and semi-managed routers, I'd suggest strict out-bound 
packet controls (i.e. be conservative in what you send) because you 
already need to make operational updates when they change.  But consider
using inbound controls that require less extensive recurring maintenance, 
e.g. only filtering martians (i.e. 0/8, 127/8, 255.255.255.255/32, etc) 
instead of updating bogons (i.e. changing reserved and unallocated) every 
few months.