Nathan Ward wrote:
How does network explosion happen?
"Potential"
My recommended way of using Team Cymru bogon filters is to get the BGP feed, and filter it so that you only accept prefixes that fall within your list of currently known bogon prefixes, with the prefix length that you currently know. From there, all they have the ability to do is to withdraw bogons, not introduce new ones.
The only network explosion I could see would be large amounts of advertisement/withdrawl churn eating control plane cycles, but these same networks peer with direct competitors already, so it's not really introducing any new attack vectors.
Right - these are all good mitigation tactics and should be applied to any peer. I'd also assume you would max-prefix the session to something reasonable as well, because if you're going to allow a prefix length range of say /8 to /24, you have the POTENTIAL for mass injection of prefixes. Peering with direct competitors or any other random network vs peering with something that influences your network 'security' and operation are two quite different things. If you're using that BGP-fed bogon list to trigger uRPF for instance, it's an entirely new potential attack vector. Have I heard of anything happening like that? No. Do I believe Team Cymru would ever do anything like that? No. Can accidents happen? Yes. There are risk averse operators and corps out there that for reasons like these would not peer with a third party for that.
I don't have any data to suggest how many attacks/whatever they prevent these days, but if they don't have much effect that may be because people don't bother hijacking bogon space, because of the (perceived?) widespread deployment of filters to prevent it.
I'm not hugely convinced they did all that much to stop attack traffic to begin with. If more networks wisely implemented uRPF and other techniques of its ilk on their subscriber/customer aggregation platforms, there would be far less need for bogon filtering and all the headaches that have gone with it. I've dealt with far too much pain when getting IP space in 219/8, 220/8, 222/8, etc, to ever want to implement a bogon filter myself. Of course, other operators that choose to blanket blackhole all APNIC space are another headache :\. aj. -- "Be liberal in what you accept, but conservative in what you send"?