Questions about bogon filtering [Was: Re: Firewall update (if you're filtering bogons)]
Arjan
n6bc23cpcduw at list.nospam.xutrox.com
Tue Nov 4 18:44:53 UTC 2008
F. Fox wrote:
> Arjan wrote:
>> The list of IPv4 Global Unicast Address Assignments got updated yesterday:
>> http://iana.org/assignments/ipv4-address-space/
>
>> The previously unallocated prefix 197/8 has been allocated. Please
>> remove it from your firewall filter if you're filtering bogons.
>
>
>
> A question: Does filtering bogons really help security all that much? I
> would think that about all it'd be good for would be dropping packets
> with spoofed IDs - but in the case of a DDoS, where such a thing is
> likely, they've accomplished their goal simply by having the packet get
> across your uplink and bounce off your firewall.
>
> I suppose it could help spare load on a server in the case of a SYN
> flood directed towards one, but I would think it wouldn't be all that
> hard to adjust the RNG algorithm (or counter, or whatever) to have the
> spoofed IPs on the packets generated only in non-bogon space.
>
You're right that it doesn't help security, but I prefer to filter all
traffic that's not supposed to come from / go to the internet. Filtering
invalid outgoing traffic should help me stay out of trouble with my ISP.
More information about the tor-talk
mailing list