top of page
Uncovering the Unknown by Bogon Reference for Improved Network Security

The Bogon Reference

Help us make the Internet
more secure.

Have you been block-listed in error? Learn more here.

Bogon filtering should be undertaken only if the impacts are well-understood. These are not simple filters, and can have adverse impacts if improperly applied. In particular, please consult RFC6598 regarding 100.64.0.0/10. It’s important that you know your network, and that any planned filters are rigorously tested before adoption. These filters may be more applicable to some devices, such as gear that functions as a border router, than other devices.

 

What Is a Bogon, and Why Should I Filter It?

A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPNs or other tunnels) should never have an address in a bogon range. These are commonly found as the source addresses of DDoS attacks.

Bogons

Bogons are defined as Martians (private and reserved addresses defined by RFC 1918RFC 5735, and RFC 6598) and netblocks that have not been allocated to a regional internet registry (RIR) by the Internet Assigned Numbers Authority.

Fullbogons

The Bogons list above reflects unallocated, reserved, and special designated IPv4 address ranges only.  When address space is allocated by IANA to the RIRs, it is often subdivided before being assigned to specific networks.  Our traditional bogons do not include the ranges that are unassigned by the RIRs.  More importantly, our traditional bogons project predates wide adoption of IPv6 and does not include IPv6 addresses.

Are there limitations on this program?

Yes, we do have some limitations on this program. We require a short Memorandum of Understanding to be signed that outlines all the limitations in detail.

Enter the fullbogons!

Fullbogons begins with the traditional bogon prefixes. We then add the IP space allocated to the RIRs, but not yet assigned by them to ISPs or other end-users. This provides a much more granular and enumerative view of IP space that should not appear on the Internet.

 

Fullbogons are available for both IPv4 and IPv6. Due to the fragmented nature of IP allocations and assignments, the fullbogons feed is much larger than the traditional bogon feed.

How Much Does It Help to Filter Bogons?

Team Cymru CEO, Rob Thomas, studied a frequently attacked website to discover that 60% of the bad packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.). Your mileage may vary, and you may opt to filter more conservatively or more liberally. As always, you must KNOW YOUR NETWORK to understand the effects of such filtering.

Bogon filtering is a component of anti-spoofing filtering. Internet security includes an obligation to be a good steward of those resources under our care. If one sizeable network is insecure, it WILL be used to abuse other networks.

The Bogon and Full Bogon Lists Are Not Static

The bogon lists change frequently. If you filter bogons, please make sure that you have a plan for keeping your filters up-to-date. Failing to do so may result in you filtering legitimate traffic. This can create extra work for network administrators around the globe. This is especially true for the fullbogons list, which has significant changes every day.

We recommend peering with us to receive the Bogons via BGP. We keep these BGP sessions updated with the most current view of address allocations available. Why take this on yourself?

Aggressive ingress and egress filtering is good and wise, but must be maintained. We try to make this as painless as possible…

  • We offer a variety of formats and methods by which you can receive these updates.

  • All formats are updated at the same intervals

  • Our data is based on relevant RFCs, IANA IPV4 allocation list (IPv4 summary page) and RIR data

  • We constantly monitor for changes and update quickly when changes occur

Obtaining a Peering Session!

We typically provide two peering sessions per remote peer for redundancy. If you would like more or less than two sessions, please note that in your request. We try to respond to new peering requests within one to two business days.

You must be able to accommodate up to 100 prefixes for traditional bogons, up to 250,000 prefixes for fullbogons, and be capable of multihop peering with a private ASN. Please take care to configure your peering sessions properly. On occasion, we have received bogon packets routed to us! We will drop peering sessions if this happens to keep our services up and running.

bottom of page