Bogon Route Server Project

Languages: en | es

Introduction

A bogon prefix is a route that should not currently appear in the Internet routing table. A packet routed over the public Internet (not including over VPN or other tunnels) should not currently have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks.

There are a variety of ways to track the bogons and updated IANA allocations. The goal of the Bogon Route Server Project is to provide this data and update notification through a multihop eBGP peering session. This can make the automation of filters quite simple for even the largest networks.

Bogons do leak into the global table occasionally. This is generally a mistake on a router. The bogon route-server can help you to avoid the propogation of such mistakes or the acceptance of such prefixes.

Other methods of bogon tracking and filtering can be found on the Bogon Reference Page.

CAVEATS

N.B.: Please remember that this is a free service. It comes with no warranties or guarantees. You own your own network, and are responsible for the (mis)use of this data. We do hope it is useful to you and your network. KNOW YOUR NETWORK.

Please note that if you utilize RFC1918 space internally, you may wish to filter those announcements from the bogon route-servers. This can be accomplished easily with route-maps or prefix-lists. Contact us if you require assistance with this filtering.

Gory Details

The peering is conducted over a multihop eBGP peering session. The routers used for this peering are a collection of one-armed Cisco 4500M and 2600 routers; these serve no other purpose aside from the announcement of the bogon prefixes. There are currently 10 bogon route-servers online; 5 in the United States, 2 in Europe, 2 in Asia and 1 in Africa. We strongly recommend that you peer with at least 2 separate route-servers for redundancy.

The bogon prefixes are announced unaggregated; as of 14 JUL 2008 this includes 45 prefixes. The ASN used by all of the bogon route-servers is 65333. A private ASN is used to ensure that leakage is easily detected and prevented. Each prefix is tagged with a community, 65333:888, to more readily enable filtering. Peering sessions include the use of a password. The bogon route-servers accept no prefixes from their peers.

Note for those who use Zebra: Zebra does not yet support RFC 2385, passwords on peering sessions. We will exempt Zebra users from the TCP MD5 password requirement.

The bogon route-servers announce the bogon prefixes through a combination of BGP network statements and nailed routes. When a prefix is allocated by IANA to one of the RIRs, the nailed route is removed and the bogon prefix is quickly withdrawn from the BGP announcements. It's clean and works quickly.

Automatically Filtering Bogons

So how does one use the community 65333:888 prefixes to generate a bogon filter? There are myriad methods, of course. One possible method is to use a route-map and a route with a next-hop of the null0 (Cisco) interface. We have collected examples below from our own experience and from several helpful contributors.

Cisco router example

router bgp <your asn>
  neighbor x.x.x.x remote-as 65333
  neighbor x.x.x.x ebgp-multihop 255
  neighbor x.x.x.x description <your description>
  neighbor x.x.x.x prefix-list cymru-out out
  neighbor x.x.x.x route-map CYMRUBOGONS in
  neighbor x.x.x.x password <your password>
  neighbor x.x.x.x maximum-prefix 100 threshold 90
!
! Remember to configure your Cisco router to handle the new style
! community syntax.
ip bgp-community new-format
!
! Set a bogon next-hop on all routers that receive the bogons.
ip route 192.0.2.1 255.255.255.255 null0
!
! Configure a community list to accept the bogon prefixes into the
! route-map.
ip community-list 10 permit 65333:888
!
! Configure the route-map.  Remember to apply it to the proper
! peering sessions.
route-map CYMRUBOGONS permit 10
  description Filter bogons learned from cymru.com bogon route-servers
  match community 10
  set ip next-hop 192.0.2.1
!
ip prefix-list cymru-out seq 5 deny 0.0.0.0/0 le 32

Cisco peer-groups example

With the advent of multiple bogon route-servers, the use of BGP peer-groups on Cisco routers is very convenient. Thanks to John Brown for the original example.

router bgp <your asn>
  neighbor cymru-bogon peer-group
  neighbor cymru-bogon ebgp-multihop 255
  neighbor cymru-bogon description <general description>
  neighbor cymru-bogon prefix-list cymru-out out
  neighbor cymru-bogon route-map CYMRUBOGONS in
  neighbor cymru-bogon maximum-prefix 100 threshold 90
!
  neighbor x.x.x.x remote-as 65333
  neighbor x.x.x.x peer-group cymru-bogon
  neighbor x.x.x.x description <specific description>
  neighbor x.x.x.x password <your password>

Juniper router example

routing-options {
    static {
        route 192.0.2.1/32 {
            discard;
            no-readvertise;
            retain;
        }
    }

    /* If you have declared 192.0.2.0/24 as a bogon add this entry. */
    martians {
     192.0.2.1/32 exact allow;
    }

    autonomous-system <your AS here>;
}

protocols {
    bgp {
        group CYMRU {
            type external;
            description "peering to receive bogons from CYMRU";
            import CYMRU-bogons-in;
            authentication-key "secretkey"; # SECRET-DATA
            export deny-all;
            peer-as 65333;
            /* Below may also be expressed as "multihop 255;" depending on your version */
            multihop {
                ttl 255;
            }
            neighbor <bogon rs IP>;
            local-address <your IP we are peering with>;
            family inet {
                unicast {
                    prefix-limit {
                        maximum 100;
                        teardown 100;
                    }
                }   
            }
        }
    }
}

policy-options {
    policy-statement CYMRU-bogons-in {
        term 1 {
            from {
                protocol bgp;
                as-path CYMRU-private-asn;
                community CYMRU-bogon-community;
            }
            then {
      /* backup in case no-export is cleared internally */
                community add dont-announce;
                next-hop 192.0.2.1;
                accept;
            }
        }
        then reject;    #  default action
    }

    policy-statement deny-all {
        then reject;
    }

    community dont-announce members <your as here>:<some community that supresses anouncements outside your as>; 

    community CYMRU-bogon-community members [ no-export 65333:888 ];

    as-path CYMRU-private-asn 65333;
}

Force10 router example

router bgp <your asn>
  neighbor IPV4_BOGONS peer-group
  neighbor IPV4_BOGONS route-map CYMRUBOGONS in
  neighbor IPV4_BOGONS distribute-list CYMRU-OUT out
  neighbor IPV4_BOGONS maximum-prefix 100 90
  neighbor IPV4_BOGONS soft-reconfiguration inbound
  neighbor IPV4_BOGONS no shutdown
  neighbor x.x.x.x remote-as 65333
  neighbor x.x.x.x peer-group IPV4_BOGONS
  neighbor x.x.x.x description <your description>
  neighbor x.x.x.x ebgp-multihop 255
  neighbor x.x.x.x password <your password>
  neighbor x.x.x.x no shutdown
! Set a bogon next-hop on all routers that receive the bogons.
ip route 192.0.2.1 255.255.255.255 null0
!
! Configure a community list to accept the bogon prefixes into the
! route-map.
ip community-list CYMRU_COMMUNITY
 permit 65333:888
!
! Configure the route-map.  Remember to apply it to the proper
! peering sessions.
route-map CYMRU_BOGONS permit 10
  description Filter bogons learned from cymru.com bogon route-servers
  match community CYMRU_COMMUNITY
  set next-hop 192.0.2.1
!
ip prefix-list CYMRU_OUT
  seq 5 deny any

OpenBSD bgpd example

OpenBSD's bgpd project can also be used to peer with the bogon route-servers. Our thanks to Pete Vickers for this example.

# config snippet for /etc/bgpd.conf
#
# Based on config by Pete Vickers 05/2004.
#
# Modified slightly to intermingle with pf, and
#   also to apply policy to cymru-sourced routes
#   received from IBGP peers.
#
# Configure sessions with cymru reprobates
#
group "peering bogon" {
  remote-as 65333
  local-address <MY-ROUTER-IP>
  multihop 64
  announce none
  max-prefix 1000
  tcp md5sig password <PASSWORD>
  neighbor <BOGON-ROUTE-SERVER-1-IP>
  neighbor <BOGON-ROUTE-SERVER-2-IP>
  # ... etc
}
#
#
# What to do with updates (can be used with updates from
# cymru peers, and also from IBGP peers if other routers
# in this AS also take a bogon feed). The "nexthop
# blackhole" is a little extraneous given the pf config,
# worth keeping in case the packet filter is disabled
# at any point.
#
allow from any community 65333:888 set pftable "bogons"
allow from any community 65333:888 set nexthop blackhole


# config snippet for /etc/pf.conf
#
table <bogons> persist
#
# no bogon sources or destinations
block quick from <bogons> to any
block quick from any to <bogons>

Mikrotik RouterOS example

This example of how to configure a Mikrotik RouterOS box to use the Bogon Route Server Project is thanks to Ariel S. Weher.

# Config by Ariel S. Weher, based on Team Cymru's Cisco Template.
# Working in the 3.X version of Mikrotik RouterOS.

/routing bgp instance
set default as=<YOUR_ASN_NUMBER> client-to-client-reflection=yes comment="" disabled=no \
    ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
    no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
    redistribute-static=no router-id=<Your router-id ip address>


/ip firewall address-list
add address=<SESSION#1.Team-Cymru's.IP.Address> comment="TEAM-CYMRU BOGON Server #1" disabled=no list=BGP-NEIGHBORS
add address=<SESSION#2.Team-Cymru's.IP.Address> comment="TEAM-CYMRU BOGON Server #2" disabled=no list=BGP-NEIGHBORS

/ip firewall filter
add action=accept chain=input comment="BGP Neighbors" disabled=no dst-port=179 protocol=\
    tcp src-address-list=BGP-NEIGHBORS 

/ip route
add comment="Blackhole traffic route" disabled=no distance=1 dst-address=192.0.2.1/32 type=blackhole

/routing bgp peer
add address-families=ip comment="TEAM-CYMRU BOGON Server #1" disabled=no hold-time=3m in-filter=BOGON-SERVER-IN \
	instance=default max-prefix-limit=50 multihop=yes name=CYMRU-1 \
	nexthop-choice=default out-filter=BGP-DROP remote-address=\
    <SESSION#1.Team-Cymru's.IP.Address> remote-as=65333 route-reflect=no tcp-md5-key=Password_Received_From_Cymru ttl=255

add address-families=ip comment="TEAM-CYMRU BOGON Server #2" disabled=no hold-time=3m in-filter=BOGON-SERVER-IN \
	instance=default max-prefix-limit=50 multihop=yes name=CYMRU-1 \
	nexthop-choice=default out-filter=BGP-DROP remote-address=\
    <SESSION#2.Team-Cymru's.IP.Address> remote-as=65333 route-reflect=no tcp-md5-key=Password_Received_From_Cymru ttl=255
	
/routing filter
add action=accept bgp-communities=65333:888 chain=BOGON-SERVER-IN comment="" \
    disabled=no invert-match=no protocol=bgp set-out-nexthop=192.0.2.1
add action=discard chain=BOGON-SERVER-IN comment="" disabled=no invert-match=\
    no protocol=bgp
add action=discard chain=BGP-DROP comment="" disabled=no invert-match=no \
    protocol=bgp

If none of these methods will work for you then please contact us for assistance. We are also eager to hear your suggestions on other filtering methods!

How Do I Obtain a Peering Session?

To peer with the bogon Route Server, contact team-cymru@cymru.com. When requesting a peering session, please include the following information in your email:

Your AS number
The IP address(es) you want us to peer with
Does your equipment support MD5 passwords for BGP sessions?
Optional: your GPG/PGP public key

We will typically provide multiple peering sessions (at least 2) for redundancy. If you would like more or less than 2 sessions please note that in your request. We try to respond to new peering requests within one business day.

Remember that you must be able to accomodate up to 100 prefixes and be capable of multihop peering with a private ASN. If you improperly configure your peering and route all packets destined for bogon addresses to the bogon route-servers, your peering session will be dropped.

Credits

Thanks to John Brown for the configuration example.
Thanks to Roy Engehausen for catching some errors and suggesting some enhancements.
Thanks to Pete Vickers for the original OpenBSD bgpd configuration example.
Thanks to Joe Abley for enhancing the OpenBSD bgpd configuration example.
Thanks to Marko Veelma for spotting some additional errors.
Thanks to Taka Mizuguchi and Tak Morinobu for the Japanese translation of this page. (We apologize that this translation is currently quite out-of-date - please contact us if you are willing and able to assist with an updated translation.)
Thanks to Ariel Weher for the Spanish translation of this page.
Thanks to Eddie Parra for some tips to improve the Juniper configuration example.

The free bogon filters, monitoring, and tracking are supported thanks to the kind donations of peering, hosting, gear, and time from several individuals and organizations. If you would like to donate to the cause, be it a peering session, old gear, or good coffee :), contact Team Cymru.

We hope these links, references, and monitoring is useful to you. Please share your suggestions, comments, and references with us! Direct your comments to team-cymru@cymru.com.