Using Bogon IP addresses in access control lists
The external interface of your network’s perimeter device (such as a router or firewall) should never see data packets with certain source IP addresses. Some of these IP source addresses (known as bogons) are:
- The loopback address, 127.0.0.0/8.
- The APIPA address range of 169.254.0.0/16.
- If your perimeter connects to the public Internet, the private address spaces specified in RFC 1918 (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16).
- Multicast addresses (126.96.36.199/4).
- Research addresses (240.0.0.0/4).
If bogon packets are trying to make their way into your network, you can be reasonably sure that they are spoofed (faked) and that a distributed denial of service (DDoS) is underway. To protect your network from such a situation, you need to implement effective packet filtering at the perimeter so that bogon packets are dropped.
Fortunately the Team Cymru website provides multiple examples of access control lists that you can copy to your perimeter hosts to keep bogons at bay. Team Cymru defines bogons as “Martians (private and reserved addresses defined by RFC 1918 and RFC 6890) and netblocks that have not been allocated to a regional internet registry (RIR) by the Internet Assigned Numbers Authority (IANA).” Team Cymru’s unaggregated list of bogon addresses is as follows:
If you wanted to block bogons and Martians on a Cisco router, you would configure an access control list like so:
interface FastEthernet 0/0 description external ip address 188.8.131.52 255.255.255.252 ip access-group 100 in access-list 100 deny ip 127.0.0.0 0.255.255.255 any log access-list 100 deny ip 169.254.0.0 0.0.255.255 any log access-list 100 deny ip 10.0.0.0 0.255.255.255 any log access-list 100 deny ip 172.16.0.0 0.15.255.255 any log access-list 100 deny ip 192.168.0.0 0.0.255.255 any log access-list 100 deny ip <internal network range> <wildcard mask> any log access-list 100 deny ip <IANA reserved addresses> 0.255.255.255 any log access-list 100 deny ip <IANA unallocated addresses> 0.255.255.255 any log .
For additional commentary on bogon packets visit Wikipedia.
If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!