homepage Welcome to WebmasterWorld Guest from 54.211.219.68
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Bogon List: A lesson learned in the world of reserved IP addresses
You may have this problem and not even know it!
maximillianos

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3978016 posted 11:30 pm on Aug 24, 2009 (gmt 0)

I first heard of the Bogon list a few months ago when a network administrator for a company had contacted me in regards to customers not being able to reach my site. He said they had allotted new IP addresses to these customers that were recently released from the "Bogon List". I had no idea what the Bogon list was. (Google it for more information).

[cymru.com...]

Well I have since learned that it is a reserved list of IP ranges that have not been allocated yet for public use. In the past they were commonly abused by DDOS attackers and because of this, many routers and ISP's will block them by default... In fact, they go a step further and ignore/drop all requests originating from these ranges to save on processing time... Since no one should be using them.

So why should we care about them? Well, as I recently discovered, it is common practice when a firewall is setup on a server to have this list included in the configuration as IP ranges that should be ignored.

Unknown to me when I bought my server last year and requested a firewall be installed, the Bogon list (at that time, one year ago) was configured as well within the firewall (APF on Linux).

As the months went by I did not notice any problems. But in the last few months I started finding some weird issues in other discussion forums. Folks were posting threads asking if my site was gone... saying they had not been able to access it in weeks. At first I thought it was isolated, but then I found more users posting around the web saying they could not get to our site. Luckily I stumbled across these posts, because the users themselves could not tell me about the problem, since they could no longer access my site.

Long story short, these users were using recently allocated IP addresses released from the Bogon list. My server was blocking them since I had not kept my firewall rules up to date. I had no idea this was something I even needed to worry about. It finally took a call from a Time Warner network guy to help me realize the problem was my server. My own ISP support team even told me it was not my server, they said they don't configure anything with Bogon directly on servers...

So at last I found the configuration file called "reserved-networks" (go figure!). In it contained the very old Bogon list. I was unknowingly blocking about 10 new IP ranges!

After removing the blocks, my traffic went up about 15% immediately. I started seeing comments on the site from users who were saying they had been trying to get to the site for months and now finally can access it again.

Moral of the story: Bogon can be your friend and your enemy... If you manage your own server with a firewall, make sure you know what is being blocked by default. If you block Bogon IP ranges, stay on top of the changes to that list. Every month or so new IP ranges get released and you might be blocking potential new customers.

 

bill

WebmasterWorld Administrator bill us a WebmasterWorld Top Contributor of All Time 10+ Year Member Best Post Of The Month



 
Msg#: 3978016 posted 7:15 am on Aug 31, 2009 (gmt 0)

I wasn't aware of this list. Thanks for explaining it.

What's the best practice to keep up with this list? It appears to be constantly evolving.

maximillianos

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3978016 posted 2:33 pm on Aug 31, 2009 (gmt 0)

I asked my tech support guys from my ISP, they had a workable idea:

Run this quick little string to get to the good stuff

wget [iana.org...] && cat ./index.html ¦ grep -e RESERVED -e UNALLOCATED ¦ cut -d / -f 1 > ./bogon && rm ./index.html

This copies the site, then searches it for lines with the word RESERVED or UNALLOCATED, then cuts those lines down to the first digits.

If you wanted to, you could set that as a cron job to run every few weeks. It would take some more editing to get it to push the right numbers to the IPTABLES.conf

With my server (CentOS 5) I have a file called "reserved-networks" that contains this list, so for me I could have that file created automatically using this script every month or so, and have the job restart the firewall.

I have not set this up yet, but in theory it seems like it might work.

Rugles

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3978016 posted 2:36 pm on Sep 1, 2009 (gmt 0)

Bogon

How would you pronounce this term?

Rugles

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3978016 posted 2:37 pm on Sep 1, 2009 (gmt 0)

Almost forgot, thank you for this post. It was news to me and I will find out if we are blocking these IP's.

maximillianos

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3978016 posted 4:00 pm on Sep 1, 2009 (gmt 0)

You are welcome. I've been in this business a long time and had never heard of this before.

Not sure the correct pronunciation, but I say it like "bogey" but with the "on".

Craven de Kere

10+ Year Member



 
Msg#: 3978016 posted 5:18 pm on Sep 1, 2009 (gmt 0)

I advise others to not use such filtering at all. There are much better ways of securing your server than blacklisting unallocated ranges.

Propools

10+ Year Member



 
Msg#: 3978016 posted 8:26 pm on Sep 1, 2009 (gmt 0)

Rugles

I wasn't sure for a while til I went to: [dictionary.reference.com...]

From:
Computing Dictionary
bogon
/boh'gon/ (By analogy with proton/electron/neutron, but doubtless reinforced after 1980 by the similarity to Douglas Adams's "Vogons")
1. The elementary particle of bogosity (see quantum bogodynamics). For instance, "the Ethernet is emitting bogons again" means that it is broken or acting in an erratic or bogus fashion.
2. A query packet sent from a TCP/IP domain resolver to a root server, having the reply bit set instead of the query bit.
3. Any bogus or incorrectly formed packet sent on a network.
4. A person who is bogus or who says bogus things. This was historically the original usage, but has been overtaken by its derivative senses. See also bogosity; compare psyton, fat electrons, magic smoke.
The bogon has become the type case for a whole bestiary of nonce particle names, including the "clutron" or "cluon" (indivisible particle of cluefulness, obviously the antiparticle of the bogon) and the futon (elementary particle of randomness, or sometimes of lameness). These are not so much live usages in themselves as examples of a live meta-usage: that is, it has become a standard joke or linguistic maneuver to "explain" otherwise mysterious circumstances by inventing nonce particle names. And these imply nonce particle theories, with all their dignity or lack thereof (we might note parenthetically that this is a generalisation from "(bogus particle) theories" to "bogus (particle theories)"!). Perhaps such particles are the modern-day equivalents of trolls and wood-nymphs as standard starting-points around which to construct explanatory myths. Of course, playing on an existing word (as in the "futon") yields additional flavour.

kinley

5+ Year Member



 
Msg#: 3978016 posted 3:50 am on Sep 2, 2009 (gmt 0)

Thanks for the info maximillianos :)

Didn't even knew such thing existed !

What seems is that you had a dedicated server and that's why you had to configure the setting for yourself. But again, this would be the responsibility of the hosting company in case you are on shared hosting.

plumsauce

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3978016 posted 3:58 am on Sep 2, 2009 (gmt 0)

I advise others to not use such filtering at all. There are much better ways of securing your server than blacklisting unallocated ranges.

For certain specialised uses bogon filtering can be a very useful first cut. One example is udp based services.

@maximilianos

The team-cymru site contains many formats of the bogon lists including preconfigured cisco configs. They are very good at keeping their copies current.

The one I use is the cidr format plain text list. This is then massaged into a binary format file for certain applications.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved