I was thinking the other day that I’ve used the term bogon in several Packet Pushers podcasts and never really bothered to define it for my readers. Sure, you could go out and search on the Internet. But you’ve got me for that!
Bogon is a term used in networking to describe a “bogus address”. According to Wikipedia, Fount of All Knowledge, the term originated from a hacker reference to a single unit of bogosity, which is the property of being bogus. I personally like to think of it as standing for BOGus Network (forgive my spelling). Not that this refers to undesirable packets, which is not to be confused with vogon, which is a class of undesirable bureaucrats that run the galaxy or a bogan, which is an undesirable class of socioeconomics in Australia (if you’re American, think “redneck” or “white trash”).
Bogons are addresses that should never be seen as the source of packets that are entering your network. The most stable class of bogon isn’t actually a bogon. It’s a martian, so called because they look like they are coming from Mars, which is a place packets clearly cannot be sourced from…yet. Martians include any address space that is listed as reserved by RFC1918 or RFC5735. It’s a pretty comprehensive list, especially in RFC5735 so take few moments to familiarize yourself with it. You’ll see the majority of private networks along with APIPA addressing and a few lesser-known examples of bogus networks as well.
The other component of a bogon is an address that shouldn’t exist on the public Internet. Beyond the aforementioned Martians, the only other bogons should be IP blocks that haven’t yet been allocated by IANA to the RIRs. However, that list should be almost empty right now, as IANA has exhausted all its available address space and given it over to the 5 RIRs. The folks over at Team Cymru (that prononunced kum-ree for those not fortunate to be fluent in Welsh) have put together a list of what they call “fullbogons” which lists the prefixes assigned to RIRs but not yet handed out to ISPs for consumption by customers. Traffic being sourced from this range should be treated as dubious until the range is allocated by the RIR. The fullbogon list is updated very frequently as the hungry, hungry Internet gobbles up more and more prefixes, so if you are going to use it please stay on top of it.
How Do I Use Bogons?
My preferred method of using a bogon list is in an edge-router access list (ACL) designed to filter traffic before it ever lands on my network. By putting the ACL on the very edge of the network, the traffic never gets the chance to hop to my firewall for evaluation. I’d prefer to save every spare CPU cycle I could on that puppy. My access list looks something like this (taken from Team Cymru’s bogon list today):
! access-list 1 deny 0.0.0.0 0.255.255.255 access-list 1 deny 10.0.0.0 0.255.255.255 access-list 1 deny 127.0.0.0 0.255.255.255 access-list 1 deny 169.254.0.0 0.0.255.255 access-list 1 deny 172.16.0.0 0.15.255.255 access-list 1 deny 192.0.0.0 0.0.0.255 access-list 1 deny 192.0.2.0 0.0.0.255 access-list 1 deny 192.168.0.0 0.0.255.255 access-list 1 deny 198.18.0.0 0.1.255.255 access-list 1 deny 198.51.100.0 0.0.0.255 access-list 1 deny 203.0.113.0 0.0.0.255 access-list 1 deny 188.8.131.52 184.108.40.206 access-list 1 deny 240.0.0.0 220.127.116.11 access-list 1 permit any ! ! interface FastEthernet 0/0 description Internet_Facing ip access-group 1 in !
That should wipe out all the evil bogons and martians try to invade your network. If you want to use the fullbogon list, obviously your ACL would be considerably longer and need to be updated more frequently. The above list is just the basic bogon/martian detection and should serve you well.
Blocking these spoofed networks before they can make it to you is a huge help in preventing attacks and spurious traffic from overwhelming you as a Network Rock Star. Every little bit helps today with all of the reliance on the Internet, especially as we start moving toward…The Cloud. If you sit down and block just the regular bogon list I’ve outlined above, you can block up to 60% (Warning: Powerpoint) of the obviously bad stuff trying to get to your network. That should be a big relief to you and let you have a few minutes of free time to take up a new hobby, like poetry.
Thanks to Team Cymru for all the information and stats. Head over to http://www.team-cymru.org to learn more about all those nasty bogons and how to stop them.
there may be some benefits to routing to null0 rather than using an ACL. I believe that it may be more efficient, I guess the router may send ICMP back to the source if the acl drops the traffic