By Bob Gourley
With this post we will dive a bit deeper into bogosity in networks, paying particular attention to the fundamental element of bogosity, the Bogon. We will then articulate a use case for the Centripetal Networks RuleGate which can ensure bogons never get to your enterprise.
As a prelude let me first say there is a very high likelihood that your ISP is sending bogons your way right now, using the bandwidth you paid for to do so. Bogons are bad for several reasons. Here is a bit more on why:
“Bogon” is an informal term used to describe IP packets on the public Internet that claim to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or any of the Regional Internet Registries (RIR). Private IP addresses are also considered bogons because they are not supposed to be found on the public Internet. Many ISPs and end-user firewalls seek to block bogons, because they have no legitimate use (more details on how successful they can be at this are below). The only reason you will see a bogon is if someone either accidentally misconfigured something or intentionally is creating them for malicious purposes.
Bogon packets are useful to cybercriminals because the packets cannot be attributed to an actual host (since the source IP is bogus). Routers don’t examine the source IP address of a packet, all they care about is the destination IP address, so routers will happily forward bogon packets to their destination.
A bogon packet cannot be used to initiate and set up a TCP connection (setting up a TCP connection requires a 3-way handshake between two endpoints). So bogon packets cannot be used to, for example, send spam e-mails or to send HTTP/web traffic. But bogon’s can be used to launch TCP SYN attacks and are used in about 10% of DDoS attacks on the net. Stopping bogons can not only help your enterprise but those you connect to. Bogons can also be used to covertly move information.
Enterprises have been filtering bogons for years. Some did it better than others. Those that did it well could reduce the amount of malicious traffic heading their way. Historically, when ISPs or enterprises say they filter bogons, they are likely only referring to private IP addresses, not the full bogon address space. Filtering private IP addresses requires only a few rules. But filtering the full bogon list requires about 5000 rules for IPv4 and about 70,000 rules for IPv6. Double those numbers numbers if you want to filter in both directions. Given that 5000 rules will cause performance degradation in firewalls and router ACLs, it is likely that few, if any, ISPs and enterprises are filtering the full bogon list.
Some other very important notes for context:
– Bogon addresses are not static. Addresses get assigned and unassigned and changed. So while the core of a bogon list may remain the same for long periods of time the list is dynamic enough to need to be frequently updated if you want to use it to block. Automated systems like the Centripetal Networks RuleGate can take dynamic feeds of bogons and block them, automatically.
– It is worth mentioning that there is only one device on the market capable of processing enough rules to block bogons, including in both directions, and that is the RuleGate.
– Additionally, IPv4 networks are not safe from an IPv6 bogon bandwidth flooding attack. Most ISPs and many enterprises use dual-mode equipment which can route both IPv4 and IPv6 and have IPv6 routing tables in place and have pre-allocated IPv6 to their subscriber’s networks.
– The dual-mode, IPv6 capable systems in your network can also enable malicious actors to do other things, like exfil their data using IPv6 without you knowing it. Although this is not the precise definition of a bogon, this unauthorized use of your network is bogus and bad and should also be stopped.
I hope this discussion on bogons has got you thinking. Part of the reason there has not been much discussion of bogons is till now there were no automated systems that could really stop them. Now there is and it is worth having the conversation.