BOGON Prefix Filtering, Part-2

By | April 13, 2022

The Bogon filtering can be done by using static or dynamic. The disadvantage of static filtering is you have to update your filtering list on a daily basis because the bogon lists change according to the allocation of prefixes by the internet registry.

As the bogon lists are very large in number it’s very difficult to configure all the prefixes statically. so the best way to filter the bogon prefixes is by using the Team Cymru Route server dynamically. So the Filtering is implemented by peering with their BGP routers to get the list of all IPv4 and IPv6 bogon routes. A route map can then be used to set the next hop for these routes to a black hole.

Now let’s look at, How can we filter the Bogon prefixes statically, There are thousands of ipv4 bogon lists but we will filter some well-known bogon prefixes.

1-Static Filtering in Cisco Edge Router.

It’s a very easy way to configure, Let’s see it in routers. I will configure the filter in my Edge router as inbound to my ASN.I am sitting in the customer router.

ip prefix-list BOGON seq 5 deny 0.0.0.0/8 le 32
ip prefix-list BOGON seq 10 deny 10.0.0.0/8 le 32
ip prefix-list BOGON seq 15 deny 100.64.0.0/10 le 32
ip prefix-list BOGON seq 20 deny 127.0.0.0/8 le 32
ip prefix-list BOGON seq 25 deny 169.254.0.0/16 le 32
ip prefix-list BOGON seq 30 deny 172.16.0.0/12 le 32
ip prefix-list BOGON seq 35 deny 192.0.0.0/24 le 32
ip prefix-list BOGON seq 40 deny 192.0.2.0/24 le 32
ip prefix-list BOGON seq 45 deny 192.168.0.0/16 le 32
ip prefix-list BOGON seq 50 deny 198.18.0.0/15 le 32
ip prefix-list BOGON seq 55 deny 198.51.100.0/24 le 32
ip prefix-list BOGON seq 60 deny 203.0.113.0/24 le 32
ip prefix-list BOGON seq 65 deny 224.0.0.0/3 le 32
ip prefix-list BOGON seq 200 permit 0.0.0.0/0 le 32


router bgp 13232
  neighbor 10.10.32.40 prefix-list BOGON in

2-Static Filtering in Mikrotik Edge router.

/routing filter
add action=discard address-family=ip chain=BHARTI-IN prefix=0.0.0.0/8 prefix-length=8-32 protocol=bgp
add action=discard address-family=ip chain=BHARTI-IN prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp
add action=discard address-family=ip chain=BHARTI-IN prefix=100.64.0.0/10 prefix-length=10-32 protocol=bgp
add action=discard address-family=ip chain=BHARTI-IN prefix=127.0.0.0/8 prefix-length=8-32 protocol=bgp
add action=discard address-family=ip chain=BHARTI-IN prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=BHARTI-IN prefix=172.16.0.0/12 prefix-length=12-32 protocol=bgp
add action=discard address-family=ip chain=BHARTI-IN prefix=192.0.2.0/24 prefix-length=24-32 protocol=bgp
add action=discard address-family=ip chain=BHARTI-IN prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=BHARTI-IN prefix=198.18.0.0/15 prefix-length=15-32 protocol=bgp
add action=discard address-family=ip chain=BHARTI-IN prefix=198.51.100.0/24 prefix-length=24-32 protocol=bgp
add action=discard address-family=ip chain=BHARTI-IN prefix=203.0.113.0/24 prefix-length=24-32 protocol=bgp
add action=discard address-family=ip chain=BHARTI-IN prefix=224.0.0.0/4 prefix-length=4-32 protocol=bgp
add action=discard address-family=ip chain=BHARTI-IN prefix=240.0.0.0/4 prefix-length=4-32 protocol=bgp
add action=discard address-family=ip chain=BHARTI-IN prefix=240.0.0.0/4 prefix-length=4-32 protocol=bgp
add action=accept chain=BHARTI-IN




/routing bgp peer
add in-filter=BHARTI-IN name=BHARTI out-filter=BHARTI-OUT remote-address=\
    10.1.31.32 remote-as=12345


3-Static Filtering in Huawei Edge router.

ip prefix-list BOGON index 10 deny 0.0.0.0 8 less-equal 32
ip prefix-list BOGON index 15 deny 10.0.0.0 8 less-equal 32
ip prefix-list BOGON index 20 deny 100.64.0.0 10 less-equal 32
ip prefix-list BOGON index 25 deny 127.0.0.0 8 less-equal 32
ip prefix-list BOGON index 30 deny 169.254.0.0 less-equal le 32
ip prefix-list BOGON index 35 deny 172.16.0.0 12 less-equal 32
ip prefix-list BOGON index 40 deny 192.0.0.0 24 less-equal 32
ip prefix-list BOGON index 45 deny 192.0.2.0 24 less-equal 32
ip prefix-list BOGON index 50 deny 192.168.0.0 16 less-equal 32
ip prefix-list BOGON index 55 deny 198.18.0.0 15 less-equal 32
ip prefix-list BOGON index 60 deny 198.51.100.0 24 less-equal 32
ip prefix-list BOGON index 65 deny 203.0.113.0 24 less-equal 32
ip prefix-list BOGON index 70 deny 224.0.0.0 3 less-equal 32
ip prefix-list BOGON index 200 permit 0.0.0.0 0 less-equal 32

<Ctr-1> system-view
[Ctr-1] bgp 13232
[Ctr-1-bgp] peer 10.1.32.3 as-number 12345
[Ctr-1-bgp] ipv4-family unicast
[Ctr-1-bgp-af-ipv4] peer 10.1.32.3 ip-prefix BOGON import
<br><br><br>

Dynamic Bogon Filtering.

Dynamic Bogon filtering is one of the scalable solutions because In this scenario we are not going to create the filter list statically instead we are going to peer with one of the bogon trackers which will make our work easy. Dynamic filtering is very efficient because if there are any changes in the bogon ranges on the internet you will be notified by the BOGON tracker. As we know there are thousands of bogon prefixes on the internet and it’s very difficult to match them statically with prefix-list or ACL and then discard them.

To filter the bogon prefixes dynamically we need a real-time Bogon tracker which keeps the record of the full bogon prefix table in real-time. Team Cymru provides the full bogon list for both IPv4 and IPv6 on a dedicated BGP peer with their routers. They basically have hosted their Bogon tracking route server on the cloud. So If you want to peer with them you can request them for a peering. . if they accept your peering request and once you will peer with them then they will advertise to you all the bogon prefixes on the internet and also they keep track of changes in bogon prefix ranges which will help you to get the updated prefixes dynamically.

As you can see in the above diagram, my Edge router is peer with the Team Cymru route server over a
multihop EBGP session. and then the Team Cymru route server will advertise to me all the bogon prefixes and then I will blackhole it in my router. The configuration is given below,

router bgp <your asn>
  neighbor x.x.x.x remote-as 65333
  neighbor x.x.x.x ebgp-multihop 255
  neighbor x.x.x.x description <your description>
  neighbor x.x.x.x prefix-list cymru-out out
  neighbor x.x.x.x route-map CYMRUBOGONS in
  neighbor x.x.x.x password <your password>
  neighbor x.x.x.x maximum-prefix 100 threshold 90
! You'll need to increase the maximum to at least 50000 with an
! appropriate thresholds if you're receiving one or both fullbogons
! feeds.
!
! Depending on IOS version, you may need to configure your router
! for new-style community syntax.
ip bgp-community new-format
!
! Set a bogon next-hop on all routers that receive the bogons.
ip route 192.0.2.1 255.255.255.255 null0
!
! Configure a community list to accept the bogon prefixes into the
! route-map.
ip community-list 10 permit 65333:888
!
! Configure the route-map.  Remember to apply it to the proper
! peering sessions.
route-map CYMRUBOGONS permit 10
  description Filter bogons learned from cymru.com bogon route-servers
  match community 10
  set ip next-hop 192.0.2.1
!
ip prefix-list cymru-out seq 5 deny 0.0.0.0/0 le 32<br><br><br>

You can find the configuration details in the below-given link too.!!

https://team-cymru.com/community-services/bogon-reference/bogon-reference-bgp/bgp-examples/#cisco-trad