On 1/07/2007, at 1:27 AM, Alastair Johnson wrote:
Nathan Ward wrote:
How does network explosion happen?
"Potential"
My recommended way of using Team Cymru bogon filters is to get the BGP feed, and filter it so that you only accept prefixes that fall within your list of currently known bogon prefixes, with the prefix length that you currently know. From there, all they have the ability to do is to withdraw bogons, not introduce new ones.
The only network explosion I could see would be large amounts of advertisement/withdrawl churn eating control plane cycles, but these same networks peer with direct competitors already, so it's not really introducing any new attack vectors.
Right - these are all good mitigation tactics and should be applied to any peer. I'd also assume you would max-prefix the session to something reasonable as well, because if you're going to allow a prefix length range of say /8 to /24, you have the POTENTIAL for mass injection of prefixes.
Why would you accept a range? I'd just accept the shortest prefix, if a longer prefix is de-bogoned it just means you don't count the still-bogon part as bogon until you update those filters. Think of it as a way to shorten bogon lists only, not modify them. Sure you don't get full coverage for a bit, but you certainly get more than just not filtering at all. I've done this before on a router that did little more than do network wide blackholes and that sort of thing, it worked great - of course, Cymru didn't try to dump large numbers of prefixes at me, so.. y'know.
Peering with direct competitors or any other random network vs peering with something that influences your network 'security' and operation are two quite different things. If you're using that BGP-fed bogon list to trigger uRPF for instance, it's an entirely new potential attack vector.
Sure, but I'm betting that it can be done smartly.
Have I heard of anything happening like that? No. Do I believe Team Cymru would ever do anything like that? No. Can accidents happen? Yes.
There are risk averse operators and corps out there that for reasons like these would not peer with a third party for that.
Yep, I can understand that they exist, I'm just not convinced that it's terribly justified :-)
I don't have any data to suggest how many attacks/whatever they prevent these days, but if they don't have much effect that may be because people don't bother hijacking bogon space, because of the (perceived?) widespread deployment of filters to prevent it.
I'm not hugely convinced they did all that much to stop attack traffic to begin with.
If more networks wisely implemented uRPF and other techniques of its ilk on their subscriber/customer aggregation platforms, there would be far less need for bogon filtering and all the headaches that have gone with it.
Does anyone have numbers of this sort of stuff? Dean - was there any data in your blackhole network whatever datasets that had info about this?
I've dealt with far too much pain when getting IP space in 219/8, 220/8, 222/8, etc, to ever want to implement a bogon filter myself. Of course, other operators that choose to blanket blackhole all APNIC space are another headache :\.
Indeed. I wouldn't recommend implementing bogon filters unless you do it really smartly, because as you say, more bad than good. The solution to a number of the "third party is scary" problems here is simply using BGP triggered blackholes to do this internally, and make sure you pay really really close attention to the mailing lists, or maybe rig up some thing so when Cymru change their announcements you get a notification or perhaps it drops it in to your table after a few hours of delay. -- Nathan Ward