Complete Bogons
-
Country IP Blocks is now including all Bogons in its Country IP Database.
Bogons are networks that are reserved, or allocated to a Regional Internet registry but unassigned. Bogons should not generally be allowed access to your inbound networks.
This brings our IPv4 database to the full range of 4,294,967,296 IP addresses.
-
Hi Stewart,
We're using Cymru's bogon lists for v4 and v6 and have that built into the system, is there any difference between those and yours? v4 bogons is easy these days given it's likely static for eternity now. v6 is another matter with its rate of change.
-
v4 bogons are only static if you are relying on the reserved addresses alone. If you are also including the unassigned addresses then the data is fairly dynamic. I can't speak for Cymru, other than to compliment them on their work. They do a great job.
The reserved networks in the bogon list are just a few networks. But the entire list of unassigned network blocks has more than 5,500 blocks at any given moment. This list changes frequently.
-
As of today there are 5,535 networks and 887,752,768 addresses that are contained in the complete bogon list.
-
By v4 bogons, I'm talking about usable IP space that is not assigned to a RIR, which is what the Cymru list contains. All usable IPv4 space is assigned to RIRs now, there is no unassigned IPv4 space, which is how and why the v4 list is static (for what Cymru provides at least).
Our bogons list contains:
0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4
I can definitely see benefits to going through the RIRs and assembling lists of what they haven't assigned, though yeah that would be a very fast changing list. Not sure that would be something we would want to implement as our built in bogons, too likely to cause problems I expect, it'd have to be updated very frequently.
Are you actually using that bogon list on a firewall or in a similar role anywhere? I guess since it's new your experience is probably limited, just seems like a list of that nature would really be difficult to manage.
-
For years we offered an identical type of bogon list like the one you posted. It's a good start to block that type of traffic, but there are hundreds of thousand of additional addresses that are quite similar to the special reserve addresses. These are addresses that have been allocated to the RIRs but not designated beyond the allocation. In other words they are valid IP networks that are technically viable but not in use. These are address blocks being targeted by many cyber-criminal gangs for hijack purposes and other forms of malicious activity.
Technically speaking, we ran out of allocated IPv5 addresses about a year ago. But we did not exhaust all the potential addresses still waiting to be delegated to users. There are millions.
For the past several years we have kept these addresses out of our database as our focus was allocated and assigned addresses. But that meant there were still approximately 300 million addresses floating around and not being used. Thus, for consistency sake we decided to add these addresses to the full bogon list. This provides badly needed extra network security.
At Country IP Blocks we are testing these lists in our firewalls to good effect.
Incidentally, if you aggregate all of the contiguous IPv4 networks in our database, including the bogons, the entire database consolidates to one network containing all 4,294,967,296 IPv4 addresses: 0.0.0.0 - 255.255.255.255. While this might seem more trivia and trivial, it illustrates the bigger picture of network security: identifying and controlling all your traffic.
This falls in line with our goals for 2012. There are lots of changes coming to Country IP Blocks.
-
It's an interesting concept for sure if it can be reasonably kept up to date. In theory, it's an excellent idea, no question. I'm very hesitant to put something like that on our own network, much less push it out to all our users though (if we were to replace our built-in bogons). Just seems it would be very prone to false positives (active IP space in the bogon list) even if it were updated frequently. Just keeping country lists straight isn't easy I know, we've reported a few problems in those lists over the last year or so (which is inevitable from time to time, and you guys have always been very quick to fix, kudos on that).
The amount of abuse we get from non-assigned IP space is extremely minimal compared to assigned IP space. For those who can block a few users and never know, or those who don't have legit visitors from literally every corner of the planet as we do, it's probably no problem. I suspect we'd hit false positives though.
I'm curious enough that I'd be willing to make our primary hosting network a guinea pig on at least one web server initially and see how it goes. Don't have time tonight but maybe in the next few days. I'd also be willing to throw in a block rule on our entire network above the default deny rule, to get an idea of how much traffic we're blocking anyway that it would block.
I'm sure the reason Cymru did their bogons the way they did (which left it static since around a year ago) is because of the extreme effort in compiling and maintaining a full bogon list along the lines of what you're doing. If you have that figured out, you have something really good going there. ;D
-
WE have it figured out very well on the IPv4 lists. These are updated successfully each day. The full IPv6 bogons list is a little more troublesome, but it should be complete, dynamic and stable soon.