[Dshield] Egress filtering

Johannes Ullrich jullrich at euclidian.com
Sat Mar 8 15:53:02 GMT 2003


> > That's why people should use Rob Thomas's Bogon list for filtering
> > illegal  network blocks inbound and outbound. 
> > 
> > http://www.cymru.com/Bogons/index.html
> 
> How does one make use of this? Seems like it would mainly affect
> aggregation points, and wouldn't help someone doing NAT at the boundary.

Of course, if your ISP is already filtering them, there is little need to do so 
on your end. Also, if your link is getting flooded with 'bogons', there is
little your firewall can help with once the pipe upstream of it is full.

However, there are a few cases where I find the bogon list useful. For example,
to 'tag' and reject attacks coming from bogons. Remember that many UDP based
attacks can be launched from spoofed ips.

If you implement this bogon list, please remember to update it regularly. 
ARIN continues to make assignments and the bogon list will become shorter
over time. There are a lot of complaints from users of newly assigned IPs
that they can not reach parts of the Internet due to outdated bogon rules.

I believe Rob's website (url show above) lists some mailing lists that
will announce changes to the list.




-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org



More information about the list mailing list