You're missing one of the basic issues with bogon sources: they are often advertised bogons, IE the bad guy DOES care about getting the packets back, and has, in fact, created a way to do so.
This is usually VERY BAD traffic, and EVEN WORSE if a user goes TO a site hosted in such IP space. So, Bogon filtering has value beyond mere spoofed source rejection. > -----Original Message----- > From: Sean Donelan [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 21, 2008 5:19 PM > To: NANOG list > Subject: Re: Is it time to abandon bogon prefix filters? > > On Mon, 18 Aug 2008, Danny McPherson wrote: > > All the interesting attacks today that employ spoofing (and the > > majority of the less-interesting ones that employ spoofing) are > > usually relying on existence of the source as part of the attack > > vector (e.g., DNS cache poisoning, BGP TCP RST attacks, DNS > reflective > > amplification attacks, etc..), and as a result, loose mode > gives folks > > a false sense of protection/action. > > Yep. Same thing with bogon filters. Any attacker which can > source packets with bogon addresses, can by definition, > source packets with any "valid" IP address too. Great as an > academic exercise, but the bad guys are going to send evil > packets without the evil bit nor using bogon addresses. If > the bad guys are using spoofed addresses, they don't care > about the reply packets to either valid or unallocated addresses. > > However, seeing packets with unallocated IP addresses on the > Internet is evidence of a broken network. Just like when a > network trips "max prefix" on a BGP session, shouldn't a > broken network be shutdown until the problem is fixed. If > you don't want to risk your network peers turning off the > connections, make sure your network doesn't source spoofed packets. > > >
