On 29/06/2007, at 1:14 PM, Alastair Johnson wrote:
Jonny Martin wrote:
On 29/06/2007, at 11:37 AM, Gerard Creamer wrote:
We had a bogon list with 112.0.0.0/5 in it and misread it as /8 several times before growing a brain and sorting it out. Just thought I'd mention it so folks can recheck their bogon lists to ensure that the following aren't being stopped by a larger aggregation.
We're still using static bogon filters?
Team Cymru provide a bogon BGP feed which make keeping up with bogon changes a cinch. 1 - Peer with the Cmyru bogon route server. 2 - Profit!
Ignoring some people/organisations that may have corporate or architectural (or simply rule with an iron fist) approaches that prevent or restrict giving the potential to explode your network to a third party, of course.
How does network explosion happen? My recommended way of using Team Cymru bogon filters is to get the BGP feed, and filter it so that you only accept prefixes that fall within your list of currently known bogon prefixes, with the prefix length that you currently know. From there, all they have the ability to do is to withdraw bogons, not introduce new ones. The only network explosion I could see would be large amounts of advertisement/withdrawl churn eating control plane cycles, but these same networks peer with direct competitors already, so it's not really introducing any new attack vectors.
However, there is a safer approach still: don't use bogon filters at all. I've managed to convince myself they have caused, and continue to cause, far more damage than good.
YMMV of course.
Fair enough. I don't have any data to suggest how many attacks/whatever they prevent these days, but if they don't have much effect that may be because people don't bother hijacking bogon space, because of the (perceived?) widespread deployment of filters to prevent it. -- Nathan Ward