|Bogon List: A lesson learned in the world of reserved IP addresses|
You may have this problem and not even know it!
| 11:30 pm on Aug 24, 2009 (gmt 0)|
I first heard of the Bogon list a few months ago when a network administrator for a company had contacted me in regards to customers not being able to reach my site. He said they had allotted new IP addresses to these customers that were recently released from the "Bogon List". I had no idea what the Bogon list was. (Google it for more information).
Well I have since learned that it is a reserved list of IP ranges that have not been allocated yet for public use. In the past they were commonly abused by DDOS attackers and because of this, many routers and ISP's will block them by default... In fact, they go a step further and ignore/drop all requests originating from these ranges to save on processing time... Since no one should be using them.
So why should we care about them? Well, as I recently discovered, it is common practice when a firewall is setup on a server to have this list included in the configuration as IP ranges that should be ignored.
Unknown to me when I bought my server last year and requested a firewall be installed, the Bogon list (at that time, one year ago) was configured as well within the firewall (APF on Linux).
As the months went by I did not notice any problems. But in the last few months I started finding some weird issues in other discussion forums. Folks were posting threads asking if my site was gone... saying they had not been able to access it in weeks. At first I thought it was isolated, but then I found more users posting around the web saying they could not get to our site. Luckily I stumbled across these posts, because the users themselves could not tell me about the problem, since they could no longer access my site.
Long story short, these users were using recently allocated IP addresses released from the Bogon list. My server was blocking them since I had not kept my firewall rules up to date. I had no idea this was something I even needed to worry about. It finally took a call from a Time Warner network guy to help me realize the problem was my server. My own ISP support team even told me it was not my server, they said they don't configure anything with Bogon directly on servers...
So at last I found the configuration file called "reserved-networks" (go figure!). In it contained the very old Bogon list. I was unknowingly blocking about 10 new IP ranges!
After removing the blocks, my traffic went up about 15% immediately. I started seeing comments on the site from users who were saying they had been trying to get to the site for months and now finally can access it again.
Moral of the story: Bogon can be your friend and your enemy... If you manage your own server with a firewall, make sure you know what is being blocked by default. If you block Bogon IP ranges, stay on top of the changes to that list. Every month or so new IP ranges get released and you might be blocking potential new customers.
| 7:15 am on Aug 31, 2009 (gmt 0)|
I wasn't aware of this list. Thanks for explaining it.
What's the best practice to keep up with this list? It appears to be constantly evolving.
| 2:33 pm on Aug 31, 2009 (gmt 0)|
I asked my tech support guys from my ISP, they had a workable idea:
|Run this quick little string to get to the good stuff |
wget [iana.org...] && cat ./index.html ¦ grep -e RESERVED -e UNALLOCATED ¦ cut -d / -f 1 > ./bogon && rm ./index.html
This copies the site, then searches it for lines with the word RESERVED or UNALLOCATED, then cuts those lines down to the first digits.
If you wanted to, you could set that as a cron job to run every few weeks. It would take some more editing to get it to push the right numbers to the IPTABLES.conf
With my server (CentOS 5) I have a file called "reserved-networks" that contains this list, so for me I could have that file created automatically using this script every month or so, and have the job restart the firewall.
I have not set this up yet, but in theory it seems like it might work.
| 2:36 pm on Sep 1, 2009 (gmt 0)|
How would you pronounce this term?
| 2:37 pm on Sep 1, 2009 (gmt 0)|
Almost forgot, thank you for this post. It was news to me and I will find out if we are blocking these IP's.
| 4:00 pm on Sep 1, 2009 (gmt 0)|
You are welcome. I've been in this business a long time and had never heard of this before.
Not sure the correct pronunciation, but I say it like "bogey" but with the "on".
|Craven de Kere|
| 5:18 pm on Sep 1, 2009 (gmt 0)|
I advise others to not use such filtering at all. There are much better ways of securing your server than blacklisting unallocated ranges.
| 8:26 pm on Sep 1, 2009 (gmt 0)|
I wasn't sure for a while til I went to: [dictionary.reference.com...]
/boh'gon/ (By analogy with proton/electron/neutron, but doubtless reinforced after 1980 by the similarity to Douglas Adams's "Vogons")
1. The elementary particle of bogosity (see quantum bogodynamics). For instance, "the Ethernet is emitting bogons again" means that it is broken or acting in an erratic or bogus fashion.
2. A query packet sent from a TCP/IP domain resolver to a root server, having the reply bit set instead of the query bit.
3. Any bogus or incorrectly formed packet sent on a network.
4. A person who is bogus or who says bogus things. This was historically the original usage, but has been overtaken by its derivative senses. See also bogosity; compare psyton, fat electrons, magic smoke.
The bogon has become the type case for a whole bestiary of nonce particle names, including the "clutron" or "cluon" (indivisible particle of cluefulness, obviously the antiparticle of the bogon) and the futon (elementary particle of randomness, or sometimes of lameness). These are not so much live usages in themselves as examples of a live meta-usage: that is, it has become a standard joke or linguistic maneuver to "explain" otherwise mysterious circumstances by inventing nonce particle names. And these imply nonce particle theories, with all their dignity or lack thereof (we might note parenthetically that this is a generalisation from "(bogus particle) theories" to "bogus (particle theories)"!). Perhaps such particles are the modern-day equivalents of trolls and wood-nymphs as standard starting-points around which to construct explanatory myths. Of course, playing on an existing word (as in the "futon") yields additional flavour.
| 3:50 am on Sep 2, 2009 (gmt 0)|
Thanks for the info maximillianos :)
Didn't even knew such thing existed !
What seems is that you had a dedicated server and that's why you had to configure the setting for yourself. But again, this would be the responsibility of the hosting company in case you are on shared hosting.
| 3:58 am on Sep 2, 2009 (gmt 0)|
|I advise others to not use such filtering at all. There are much better ways of securing your server than blacklisting unallocated ranges. |
For certain specialised uses bogon filtering can be a very useful first cut. One example is udp based services.
The team-cymru site contains many formats of the bogon lists including preconfigured cisco configs. They are very good at keeping their copies current.
The one I use is the cidr format plain text list. This is then massaged into a binary format file for certain applications.