On 1/07/2007, at 1:27 AM, Alastair Johnson wrote:
Nathan Ward wrote:
How does network explosion happen?
My recommended way of using Team Cymru bogon
filters is to get the
BGP feed, and filter it so that you only accept prefixes that fall
within your list of currently known bogon prefixes, with the prefix
length that you currently know. From there, all they have the ability
to do is to withdraw bogons, not introduce new ones.
The only network explosion I could see would be large amounts of
advertisement/withdrawl churn eating control plane cycles, but these
same networks peer with direct competitors already, so it's not
really introducing any new attack vectors.
Right - these are all good mitigation tactics and should be applied to
any peer. I'd also assume you would max-prefix the session to
reasonable as well, because if you're going to allow a prefix length
range of say /8 to /24, you have the POTENTIAL for mass injection of
Why would you accept a range?
I'd just accept the shortest prefix, if a longer prefix is de-bogoned
it just means you don't count the still-bogon part as bogon until you
update those filters. Think of it as a way to shorten bogon lists
only, not modify them. Sure you don't get full coverage for a bit,
but you certainly get more than just not filtering at all.
I've done this before on a router that did little more than do
network wide blackholes and that sort of thing, it worked great - of
course, Cymru didn't try to dump large numbers of prefixes at me,
Peering with direct competitors or any other random
network vs peering
with something that influences your network 'security' and
two quite different things. If you're using that BGP-fed bogon
trigger uRPF for instance, it's an entirely new potential attack
Sure, but I'm betting that it can be done smartly.
Have I heard of anything happening like that? No. Do
I believe Team
Cymru would ever do anything like that? No. Can accidents happen?
There are risk averse operators and corps out there that for reasons
like these would not peer with a third party for that.
Yep, I can understand that they exist, I'm just not convinced that
it's terribly justified :-)
have any data to suggest how many attacks/whatever they
prevent these days, but if they don't have much effect that may be
because people don't bother hijacking bogon space, because of the
(perceived?) widespread deployment of filters to prevent it.
I'm not hugely convinced they did all that much to stop attack traffic
to begin with.
If more networks wisely implemented uRPF and other techniques of
on their subscriber/customer aggregation platforms, there would be far
less need for bogon filtering and all the headaches that have gone
Does anyone have numbers of this sort of stuff?
Dean - was there any data in your blackhole network whatever datasets
that had info about this?
I've dealt with far too much pain when getting IP
space in 219/8,
222/8, etc, to ever want to implement a bogon filter myself. Of
other operators that choose to blanket blackhole all APNIC space are
another headache :\.
Indeed. I wouldn't recommend implementing bogon filters unless you do
it really smartly, because as you say, more bad than good.
The solution to a number of the "third party is scary" problems here
is simply using BGP triggered blackholes to do this internally, and
make sure you pay really really close attention to the mailing lists,
or maybe rig up some thing so when Cymru change their announcements
you get a notification or perhaps it drops it in to your table after
a few hours of delay.