[c-nsp] Bogon Filter - Least Resource/CPU intensive method?
Matt Carter
matt at iseek.com.au
Thu Mar 6 01:51:05 EST 2008
> Which is the prefered method for blocking bogons on the Internet & why? Is
> the prefered solution sometimes hardware specific?
>
<..>
>
> Up to date bogon lists can be found here:
> http://www.cymru.com/Documents/bogon-list.html
>
A more dynamic approach would perhaps be
1) Static route some unused address space at the edge to Null0 eg
192.0.2.1/32 (192.0.2.0/24 is often used for this application)
2) eBGP peer with the team cymru bogon route server
3) Set ip next-hop on received prefixes to 192.0.2.1
At this point traffic _to_ the bogon address space will be routed to Null at
the edge and dropped
4) Apply loose RPF at the edge
At this point traffic _from_ the bogon address space will fail the RPF check
and be dropped
This approach requires minimal config (1 line) at the edge and no ongoing
adjustments if the bogon list changes.
Is very annoying for us that people like Ebay still continue with manual
(and very poorly maintained) bogon filter lists.
--matt
More information about the cisco-nsp
mailing list