[AusNOG] Major additions to Team Cymru's Bogon Feed
Steve Santorelli
steve at cymru.com
Tue Apr 13 01:07:51 EST 2010
Team Cymru is pleased to announce a significant addition to our bogon
reference project. The new portions of the project are offered at no
cost to the community, and the original bogon lists and feeds are not
being changed or canceled, just augmented.
The new "fullbogon" feed includes prefixes allocated to RIRs, but not
assigned by the RIRs to end-users, ISPs, etc, providing a more
complete view of the unassigned space that should not be seen on the
Internet.
This new service is therefore more granular than the original feed,
including a wide variety of non-routable prefixes as well as
unassigned prefixes and it also includes IPv6 prefixes.
Simply email bogonrs at cymru.com with your ASN, peering IP addresses and
whether you use MD5 authentication.
See an overview in the 46th episode of Team Cymru's 'The Who and Why
Show' at www.youtube.com/teamcymru, as well as a more basic overview
in episode 12. For a more detailed explanation, see
<http://www.team-cymru.org/Services/Bogons/>.
Even more so than the original feed, there are significant changes to
the list every day and the feed automatically recalculates the
prefixes as they are allocated from the regional registries, so make
sure you are able to regularly update your lists.
Internet security is all about "the other guy." If one sizeable
network is insecure, it WILL be used to abuse other networks. We look
forward to continuing to help our community to secure the edge.
Why is this important?
Bogons are defined as Martians (private and reserved addresses defined
by RFC 1918 and RFC 5735) and netblocks that have not been allocated
to a regional internet registry (RIR) by the Internet Assigned Numbers
Authority.
A bogon prefix is a route that should never appear in the Internet
routing table on a Router. A packet routed over the public Internet
(obviously, not including over VPNs or other tunnels) should never
have a source address in a bogon range.
These are commonly found as the source addresses of DDoS attacks and
our research has previously shown that, in some cases, up to 60% of
DDoS packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.).
This new service comprises a larger set which also includes IP space
that has been allocated to an RIR, but not by that RIR to an actual
ISP or other end-user.
While not all DDoS attacks use bogons, every little bit helps. Note
additionally that bogon filtering is a component of anti-spoofing
filtering, which is also very important.
Internet security is all about "the other guy." If one sizeable
network is insecure, it WILL be used to abuse other networks. We look
forward to continuing to help our community to secure the edge.
warm regards,
Steve.
--
Steve Santorelli,Team Cymru, Inc.|www.team-cymru.org
steve at cymru.com|desk:+1-630-230-5434|cell:+1-312-804-7771
Also, please note that there are many way to keep up with what Team
Cymru are doing, see the lower part of:
http://www.team-cymru.org/About/contact.html
plus:
* join our announce list via cymru-announce-subscribe at cymru.com
* see what we see, www.team-cymru.org/Monitoring/Graphs
* probably the best news feed in the world, www.team-cymru.org/News
* cool stuff you can use, www.team-cymru.org/Services/
* see our Twitter feed at http://twitter.com/teamcymru
More information about the AusNOG
mailing list