The Bogon Reference
[ Introduction ] [ Credits ] [ Table of Contents ]
Is someone claiming that we're blocking your e-mail?
Please read this!
Introduction
A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPNs or other tunnels) should never have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks.
Bogons are defined as Martians (private and reserved addresses defined by RFC 1918 and RFC 3330) and netblocks that have not been allocated to a regional internet registry (RIR) by the Internet Assigned Numbers Authority. IANA maintains a convenient IPv4 summary page listing allocated and reserved netblocks. Our page includes additional links and resources to assist those who wish to properly filter bogon prefixes within their networks.
It is important to realize that the Bogons list is NOT a static list. IP ranges are regularly added to, and more importantly, removed from the Bogons list. If you filter Bogons, please try to make sure that you have a plan for keeping it up-to-date, or within a short space of time you will be filtering legitimate traffic and creating work for network administrators everywhere.
Keeping up with the bogon filters and IANA allocations isn't difficult, though the format required may not always be readily available. We have attempted to meet this challenge by providing the bogon prefix list in a plethora of formats. These are all updated at the same time, and are based on the same tracking method. The IANA IPv4 allocation list is polled daily and any changes are noted. Within 24 hours the myriad templates are updated and notifications are sent to several lists.
How much does it help to filter the bogons? In one study conducted by Rob Thomas of a frequently attacked site, fully 60% of the naughty packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.). A presentation based on that study, entitled "60 Days of Basic Naughtiness," can be viewed here. Your mileage may vary, and you may opt to filter more conservatively or more liberally. As always, you must KNOW YOUR NETWORK to understand the effects of such filtering.
Aggressive ingress and egress filtering is good and wise, but must be maintained. We provide a variety of means to make this maintenance as painless as possible. Please do keep your bogon filters current. The fine folks at the RIPE NCC have a project underway to debogonise new allocations. You can read more about it at http://www.ris.ripe.net/debogon/.
While not all DDoS uses bogons, every little bit helps. Please note that bogon filtering is a component of anti-spoofing filtering, which is also very important. Internet security is all about "the other guy." If one sizeable network is insecure, it WILL be used to abuse other networks. Please help us to secure the edge.
Credits
The free bogon filters, monitoring, and tracking are supported thanks to the kind donations of peering, hosting, gear, and time from many individuals and organizations. If you would like to donate a peering session, old gear, or good coffee :), feel free to contact us.
This page and much of the work behind it is maintained by Team Cymru and other volunteers, including:
- Barry Greene
Table of Contents
Bogon tracking and alerting is currently available through the following methods:
- 1. HTTP
- 2. BGP Peering
- 3. RADb
- 4. RIPE NCC
- 5. DNS
- 6. E-mail
- 7. Bogon Prefix and Bogus ASN Monitoring
- 8. Comments and Feedback
Further information on each of these methods is included below.
1. HTTP Bogon References
One can track the bogon allocations through several web pages.
- The Bogon
List
This is the definitive list of bogons, in dotted decimal and bit notation formats, both aggregated and unaggregated. - The Text
Bogon List, Unaggregated
This is the list of bit notation bogons, unaggregated, in text format. Suitable for wget'ing and parsing! - The Text Bogon
List, Aggregated
This is the list of bit notation bogons, aggregated, in text format. Suitable for wget'ing and parsing! - Ingress
Prefix Filter Templates, Loose and Strict (Cisco)
Ingress Prefix Filter Template, Loose (Juniper)
Ingress Prefix Filter Template, Strict (Juniper)
Lists of loose and strict ISP prefix filters for both Cisco and Juniper routers.
IPv6 Bogon Information
The kind folks at the 6bogon@inetcore.com mailing list have provided the following bogon and packet/route filtering documentation for IPv6 networks.
2. BGP Peering Bogon Tracking
Peering with the bogon route-server can provide networks with a rapid method of filtering bogons and detecting new allocations. This is done with a multihop eBGP peering session to a bogon route-server that announces only unaggregated bogon prefixes. A community, 65333:888, is attached to these prefixes for easy filtering through a route-map. For more details, please refer to:
3. RADb
The fine folks at Merit have donated a maintainer object to the cause. MAINT-BOGON-FILTERS contains three filter-sets:
- fltr-unallocated
The unallocated (by IANA) IPv4 prefixes. - fltr-martian
The reserved and special use IPv4 prefixes. - fltr-bogons
The combination of fltr-unallocated + fltr-martian.
Details about the RADb and the objects can be found through WHOIS, e.g.:
whois -h whois.radb.net <filter-set-name>
Here is an example WHOIS query for the fltr-martian object:
bogon$ whois -h whois.radb.net fltr-martian
filter-set: fltr-martian
filter: {
0.0.0.0/8^+ ,
10.0.0.0/8^+ ,
127.0.0.0/8^+ ,
169.254.0.0/16^+ ,
172.16.0.0/12^+ ,
192.0.2.0/24^+ ,
192.168.0.0/16^+ ,
198.18.0.0/15^+ ,
224.0.0.0/3^+
}
descr: Special use and reserved IPv4 prefixes.
remarks: For the complete set of bogons, please see:
fltr-unallocated - unallocated prefixes.
fltr-bogons - fltr-unallocated + fltr-martian.
http://www.cymru.com/Documents/bogon-list.html
admin-c: Rob Thomas RT624
tech-c: Rob Thomas RT624
notify: radb@cymru.com
mnt-by: MAINT-BOGON-FILTERS
changed: radb@cymru.com 20021229
changed: radb@cymru.com 20021230
changed: radb@cymru.com 20021230
source: RADB
The objects can be queried via the RADb web interface as well.
Thanks to Boyan Krosnov for reviewing the filters and catching some errors!
Thanks to Shawn Kohlsmith for catching a typo in the description!
4. RIPE NCC
The fine folks at the RIPE NCC have also donated a maintainer object to the cause. MAINT-BOGON-FILTERS contains three filter-sets:
- fltr-unallocated
The unallocated (by IANA) IPv4 prefixes. - fltr-martian
The reserved and special use IPv4 prefixes. - fltr-bogons
The combination of fltr-unallocated + fltr-martian.
Details from the RIPE NCC whois database can be obtained through the use of the whois tool:
whois -h whois.ripe.net <filter-set-name>
See the RADb entry above for examples.
Our thanks to Leo Vegoda, Vesna Manojlovic, and the RIPE NCC team for the donation! :)
5. DNS Bogon Tracking
One can track the bogon allocations through DNS. This is accomplished by launching a query in the bogons.cymru.com zone of the form:
dig 1.1.168.192.bogons.cymru.com
For example, we can verify that 192.168.1.1 is part of a bogon prefix:
dig +short 1.1.168.192.bogons.cymru.com 127.0.0.2
We can verify that 1.0.0.0/8 is a bogon prefix:
dig +short 0.0.0.1.bogons.cymru.com 127.0.0.2
The query style is in-addr.arpa format, e.g. the IP address is reversed in and prepended to the .bogons.cymru.com domain. If the A RR is 127.0.0.2, then the IP address in the query above is part of a bogon prefix. All of the IPs within a bogon prefix are covered by the zone file, which uses wildcard matches to properly respond to queries within a bogon prefix. The DNS bogon checking can be used for RBL-style filtering.
The bogons.cymru.com zone is served by several name servers:
bogons.cymru.com. 172800 IN NS ns1.cymru.com. bogons.cymru.com. 172800 IN NS ns2.cymru.com. bogons.cymru.com. 172800 IN NS ns3.cymru.com. bogons.cymru.com. 172800 IN NS udns1.ultradns.net. bogons.cymru.com. 172800 IN NS udns2.ultradns.net. bogons.cymru.com. 172800 IN NS bogons.anycast.pch.net. bogons.cymru.com. 172800 IN NS bos.nameserver.net. bogons.cymru.com. 172800 IN NS iad.nameserver.net. bogons.cymru.com. 172800 IN NS phl.nameserver.net. bogons.cymru.com. 172800 IN NS rdu.nameserver.net. bogons.cymru.com. 172800 IN NS sjc.nameserver.net. bogons.cymru.com. 172800 IN NS sou.nameserver.net.
Credit to John Payne for the idea!
Zone transfers of the entire bogons.cymru.com zone are permitted from ns1.cymru.com, ns2.cymru.com, and ns3.cymru.com. This can be accomplished with the following syntax:
dig @ns1.cymru.com. axfr bogons.cymru.com. dig @ns2.cymru.com. axfr bogons.cymru.com. dig @ns3.cymru.com. axfr bogons.cymru.com.
Credit to Ed Vazquez for the idea of the zone transfer offering!
6. E-mail Bogon Tracking
There is a bogon-announce@puck.nether.net list used exclusively for announcements regarding bogon ranges, e.g. prefix allocations, changes in templates, and the like. This is NOT a discussion list, and is a low volume list designed to help folks to automate the processing of bogon data. Thanks to Jared Mauch for hosting the list! To subscribe to the list, click HERE.
7. Bogon and Bogus ASN Monitoring
Bogons and bogus ASNs do appear in the routing table. You can check to ensure your ASN isn't leaking such things at the links below:
8. Comments and Feedback
We hope these links, references, and monitoring are useful to you. Please feel free to share suggestions, comments, and references with us! Direct your comments to team-cymru@cymru.com.
