Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

  • From: Curtis Doty
  • Date: Thu Jan 20 11:40:10 2005

11:02am Daniel Golding said:

> Is there an RFC or other standards document that clearly states that static
> bogon filter lists are a bad idea? While this seems like common sense, there

Since this keeps coming up. I'll toss my quick and dirty reminder cronjob 
into the discussion. I cannot imagine any other way of managing the static 
bogons published on the Team Cymru web site. (For those of us who don't 
need to run their many other dynamic options.) Copying a static config 
wholesale is a classic case of myopic thinking.

  $ cat /etc/cron.monthly/ckbogons.sh
  #!/bin/bash
  
  bnagg=http://www.cymru.com/Documents/bogon-bn-agg.txt
  
  # make a new bogon list from the web
  newbog=`mktemp` || exit 1
  wget -qO- $bnagg |awk '{print "any net " $1 "\treject"}' >$newbog
  
  # get current list from our static-route config
  oldbog=`sed -ne '/^any.*reject$/,/^$/p' /etc/sysconfig/static-routes`
  
  # commpare
  #echo "$oldbog" |cdiff - $newbog
  echo "$oldbog" |diff -uw - $newbog
  
  rm -f $newbog

Obviously it's for a linux edge using Red Hat style initscripts. But the 
basic gist is sound; alert the admin whenever we are out of sync. And an 
expect script could easily be whipped up for monitoring IOS/whatever other 
static bogons one has installed.

Admins who choose the *static* bogon list should use this technique of 
self-control.

../C





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.