Doug Vitale Tech Blog

Using Bogon IP addresses in access control lists

The external interface of your network’s perimeter device (such as a router or firewall) should never see data packets with certain source IP addresses. Some of these IP source addresses (known as bogons) are:

  • The loopback address, 127.0.0.0/8.
  • The APIPA address range of 169.254.0.0/16.
  • If your perimeter connects to the public Internet, the private address spaces specified in RFC 1918 (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16).
  • Multicast addresses (224.0.0.0/4).
  • Research addresses (240.0.0.0/4).

If bogon packets are trying to make their way into your network, you can be reasonably sure that they are spoofed (faked) and that a distributed denial of service (DDoS) is underway. To protect your network from such a situation, you need to implement effective packet filtering at the perimeter so that bogon packets are dropped.

Fortunately the Team Cymru website provides multiple examples of access control lists that you can copy to your perimeter hosts to keep bogons at bay. Team Cymru defines bogons as “Martians (private and reserved addresses defined by RFC 1918 and RFC 6890) and netblocks that have not been allocated to a regional internet registry (RIR) by the Internet Assigned Numbers Authority (IANA).” Team Cymru’s unaggregated list of bogon addresses is as follows:

  • 0.0.0.0/8
  • 10.0.0.0/8
  • 100.64.0.0/10
  • 127.0.0.0/8
  • 169.254.0.0/16
  • 172.16.0.0/12
  • 192.0.0.0/24
  • 192.0.2.0/24
  • 192.168.0.0/16
  • 198.18.0.0/15
  • 198.51.100.0/24
  • 203.0.113.0/24
  • 224.0.0.0/4
  • 240.0.0.0/4

If you wanted to block bogons and Martians on a Cisco router, you would configure an access control list like so:

interface FastEthernet 0/0
description external
ip address 123.45.67.1 255.255.255.252
ip access-group 100 in
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip <internal network range> <wildcard mask> any log
access-list 100 deny ip <IANA reserved addresses> 0.255.255.255 any log
access-list 100 deny ip <IANA unallocated addresses> 0.255.255.255 any log
.

For additional commentary on bogon packets visit Wikipedia.

Recommended reading

If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!

Cisco Firewalls on Amazon Cisco Firewalls Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services on Amazon Cisco ASA: All-in-one Next-Gen Firewall, IPS, VPN

Network Warrior on Amazon Network Warrior CCNA Study Guide on Amazon CCNA Study Guide: Exams 100-101, 200-101, 200-120

Written by Doug Vitale

December 1, 2011 at 4:11 PM

%d bloggers like this: