BOGON Prefixes Filtering.Part-1

By | April 13, 2022

The bogon Prefixes are the type of Prefixes that are not routable on the global internet or you can say these prefixes even do not exist on the internet so these Prefixes are not allocated by IANA or any of your local internet registry (Such as AFRINIC, ARIN, APNIC, LACNIC,RIPE NCC etc etc.). A packet routed over the public Internet should never have an address in a bogon IP range.

As you can see from the below diagram, The graph of the bogon prefix announcement is really very high on the internet and also some prominent ASN on the internet have leaked these prefixes. Find the graph of the bogon prefixes advertisement given below.

Why Should I care about Bogon prefixes ??.

As we all know the bogon prefixes are not routable and doe’s not exist on the internet, It means there is no such destination or source that exists on the internet from these bogon IP pools. So any traffic detected from these IPs over the internet is called malicious traffic.

We have to block the traffic from Bogon prefixes in incoming and outgoing directions because bogon traffics are concerned as malicious traffic and this traffic is commonly found as the source address of DDoS attacks.. So if you don’t filter these IPs and if by mistake it gets routed on the global internet then the attackers on the internet may use bogon prefixes as a source of the attack. You may wonder why the attackers will use the bogon prefixes as sources ?, The reason is bogon sources are very difficult to find the real source of the attack.

All the Transit provider(ISP) filters the bogon prefixes inbound and outbound direction for their ASN so the traffic on these bogon prefixes can’t be transited or reach any Customer ASN. But sometimes, By-mistakenly the bogon prefixes can be routed by an ISP because of the wrong filtering technique. So it’s recommended to have a strict bogon filter in customer ASN too, instead of expecting everything from ISP.

So you as an enterprise customer and if your ASN is connected to an ISP through EBGP so make sure you are filtering bogon prefixes in both directions inbound and outbound on your edge.

An ISP must have placed the filter policy for the Bogon prefixes in the inbound direction before they enter into their transit ,But a enterprise customer must have a filter for the Bogon prefixes in both directions inbound and outbound as well.

Bogon Filtering Types.

1-Static Filtering.
2-Dynamic Filtering.

1-Static Bogon Filtering

Static filtering is basically you have to configure it statically by using a static filtering technique like ACL or Prefix list along witch route map. But this solution is not scalable because The bogon lists change frequently as per the allocation changes by the internet registry. So If you filter bogons statically, please make sure that you have to keep your filters list up-to-date but it’s really very difficult in real deployment and if you fail to do so, it may result in you filtering legitimate traffic. Static filtering can create extra work for network administrators around the globe. This is especially true for the full bogons list, which has significant changes every day. So This is where the dynamic filtering comes in which can be done by BGP.

2-Dynamic Bogon Filtering.

One of the most appropriate ways to filter the bogon prefixes is by Bogon Route Server Project. The Bogon Route Server Project is a free service that is maintained by Team Cymru and they keep updated all the bogon prefixes list on the internet in real-time. So if your router peers with the Team Cymru Router then your router will have an updated bogon database in real-time. Basically, Team Cymru router tracking and updating your router immediately if there is any changes in the bogon IP ranges.

so basically your Edge router will peer with the Team Cymru route server on a cloud over a multi-hop EBGP session .and then the Team Cymru route server will announce all the bogon routes to your router and then you can assign a single community value to all bogon prefixes which you are receiving from Team Cymru router server and then configure a next-hop IP which is not routable in your network and then you can point a static route towards null 0 for that next-hop IP . Once the nexthop route will be pointed to null 0 then all of your bogon traffic will be discarded.

Note:-you have to configure a static route for that next-hop ip to null 0. so that the bogon prefixes will be blackholed.

Some Common Bogon prefixes.

0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/3

Note: if you have peered with the Team Cymru router, They will not advertise the prefix (127.0.0.0/8,192.88.99.0/24,224.0.0.0/3) because the 127.0.0.0/8 localhost, 192.88.99.0/24 IPv6toIPv4 relay anycast, and 224.0.0.0/3 multicast prefixes ,so these prefixes are NOT included in full bogon BGP feeds. If you wish to filter these prefixes you will need to do so statically in your router with an ACL or prefix-list along with route-map.

In the Next blog, We will see the filtering configuration…See You Soon..!!!


Leave a Reply

Your email address will not be published.