The Bogon Reference
Current version: 7.0
Fullbogons updated multiple times daily
A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPNs or other tunnels) should never have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks.
Bogons are defined as Martians (private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598) and netblocks that have not been allocated to a regional internet registry (RIR) by the Internet Assigned Numbers Authority. Fullbogons are a larger set which also includes IP space that has been allocated to an RIR, but not assigned by that RIR to an actual ISP or other end-user. IANA maintains a convenient IPv4 summary page listing allocated and reserved netblocks, and each RIR maintains a list of all prefixes that they have assigned to end-users. Our bogon reference pages include additional links and resources to assist those who wish to properly filter bogon prefixes within their networks.
It is important to realize that the bogon and fullbogon lists are NOT static lists. IP ranges are regularly added to, and more importantly, removed from the bogon lists. If you filter bogons, please try to make sure that you have a plan for keeping your filters up-to-date, or within a short space of time you will be filtering legitimate traffic and creating work for network administrators everywhere. This is especially true for the fullbogons list, which has significant changes every day.
We have attempted to make the task of maintaining bogon filters simpler for network operators by providing a wide range of formats and methods through which you can receive this data, which are all updated on the same interval, and based on the authoritative sources of the data (the relevant RFCs, the IANA IPv4 allocation list, and RIR data). Changes in all of these sources are constantly monitored and quickly reflected within the documents we provide.
How much does it help to filter the bogons? In one study conducted by Rob Thomas of a frequently attacked site, fully 60% of the naughty packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.). A presentation based on that study, entitled "60 Days of Basic Naughtiness," can be viewed here. Your mileage may vary, and you may opt to filter more conservatively or more liberally. As always, you must KNOW YOUR NETWORK to understand the effects of such filtering.
Aggressive ingress and egress filtering is good and wise, but must be maintained. We provide a variety of means to make this maintenance as painless as possible. Please do keep your bogon filters current. The fine folks at the RIPE NCC have a project underway to debogonise new allocations. You can read more about it at http://www.ris.ripe.net/debogon/.
While not all DDoS uses bogons, every little bit helps. Please note that bogon filtering is a component of anti-spoofing filtering, which is also very important. Internet security is all about "the other guy." If one sizeable network is insecure, it WILL be used to abuse other networks. Please help us to secure the edge.
Bogon tracking and alerting is currently available through the following methods:
We also provide a changelog listing all major changes to the bogon reference pages.
Bogons and bogus ASNs do appear in the routing table. You can check to ensure your ASN isn't leaking such things at the links below:
For many years Team Cymru has offered the bogon reference project. This was a list of IPv4 space that is either explicitly reserved by various RFCs for special purposes (the martians) or that has not been allocated by IANA to any of the Regional Internet Registries (RIRs).
With the continued depletion of IPv4 space and the continuing growth of IPv6, we determined that something more enumerative was required. The traditional Team Cymru bogon feed isn't granular enough for the current IPv4 environment, and doesn't have coverage for IPv6.
Enter the fullbogons! Fullbogons begins with the traditional bogon prefixes. We then add the IP space allocated to the RIRs, but not yet assigned by them to ISPs or other end-users. This provides a much more granular and enumerative view of IP space that should not appear on the Internet.
Fullbogons are available for both IPv4 and IPv6. Due to the fragmented nature of IP allocations and assignments, the fullbogons feed is much larger than the traditional bogon feed.
We intend to continue offering both flavors of bogons for the forseeable future - you can choose which is more useful to you and your networks, or perhaps even use both for different purposes - it's up to you! It is important to note that fullbogons change every day, and absolutely must be kept up-to-date, because prefixes are being distributed all the time. If you just download a fullbogons list once and use it to block access to systems, it WILL become out of date very quickly, and you WILL wind up blocking legitimate traffic.
The free bogon filters, monitoring, and tracking are supported thanks to the kind donations of peering, hosting, gear, and time from many individuals and organizations. If you would like to donate route-server hosting, a peering session, or good coffee :), feel free to contact us.
This page and much of the work behind it is maintained by Team Cymru and other volunteers, including:
- Barry Greene
We hope these links, references, and monitoring are useful to you. Please feel free to share suggestions, comments, and references with us! Direct your comments to firstname.lastname@example.org.