Team Cymru - Bogon Route Server Project

Bogon Route Server Project

Introduction

A bogon prefix is a route that should not currently appear in the Internet routing table. A packet routed over the public Internet (not including over VPN or other tunnels) should not currently have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks.

There are a variety of ways to track the bogons and updated IANA allocations. The goal of the Bogon Route Server Project is to provide this data and update notification through a multihop eBGP peering session. This can make the automation of filters quite simple for even the largest networks.

Bogons do leak into the global table occasionally. This is generally a mistake on a router. The bogon route-server can help you to avoid the propogation of such mistakes or the acceptance of such prefixes.

Other methods of bogon tracking and filtering can be found on the Bogon Reference Page.

CAVEATS

N.B.: Please remember that this is a free service. It comes with no warranties or guarantees. You own your own network, and are responsible for the (mis)use of this data. We do hope it is useful to you and your network. KNOW YOUR NETWORK.

Please note that if you utilize RFC1918 space internally, you may wish to filter those announcements from the bogon route-servers. This can be accomplished easily with route-maps or prefix-lists. Contact us if you require assistance with this filtering.

Gory Details

The peering is conducted over a multihop eBGP peering session. The routers used for this peering are a collection of one-armed Cisco 4500M and 2600 routers; these serve no other purpose aside from the announcement of the bogon prefixes. There are currently 10 bogon route-servers online; 5 in the United States, 2 in Europe, 2 in Asia and 1 in Africa. We strongly recommend that you peer with at least 2 separate route-servers for redundancy.

The bogon prefixes are announced unaggregated; as of 14 JUL 2008 this includes 45 prefixes. The ASN used by all of the bogon route-servers is 65333. A private ASN is used to ensure that leakage is easily detected and prevented. Each prefix is tagged with a community, 65333:888, to more readily enable filtering. Peering sessions include the use of a password. The bogon route-servers accept no prefixes from their peers.

Note for those who use Zebra: Zebra does not yet support RFC 2385, passwords on peering sessions. We will exempt Zebra users from the TCP MD5 password requirement.

The bogon route-servers announce the bogon prefixes through a combination of BGP network statements and nailed routes. When a prefix is allocated by IANA to one of the RIRs, the nailed route is removed and the bogon prefix is quickly withdrawn from the BGP announcements. It's clean and works quickly.

Automatically Filtering Bogons

So how does one use the community 65333:888 prefixes to generate a bogon filter? There are myriad methods, of course. One possible method is to use a route-map and a route with a next-hop of the null0 (Cisco) interface.

Cisco router example:

        router bgp <your asn>
         neighbor x.x.x.x remote-as 65333
         neighbor x.x.x.x ebgp-multihop 255
         neighbor x.x.x.x description <your description>
         neighbor x.x.x.x prefix-list cymru-out out
         neighbor x.x.x.x route-map CYMRUBOGONS in
         neighbor x.x.x.x password <your password>
         neighbor x.x.x.x maximum-prefix 100 threshold 90
        !
        ! Remember to configure your Cisco router to handle the new style
        ! community syntax.
        ip bgp-community new-format
        !
        ! Set a bogon next-hop on all routers that receive the bogons.
        ip route 192.0.2.1 255.255.255.255 null0
        !
        ! Configure a community list to accept the bogon prefixes into the
        ! route-map.
        ip community-list 10 permit 65333:888
        !
        ! Configure the route-map.  Remember to apply it to the proper
        ! peering sessions.
        route-map CYMRUBOGONS permit 10
         description Filter bogons learned from cymru.com bogon route-servers
         match community 10
         set ip next-hop 192.0.2.1
        !
        ip prefix-list cymru-out seq 5 deny 0.0.0.0/0 le 32

Juniper router example:

        routing-options {
            static {
                route 192.0.2.1/32 {
                    discard;
                    no-readvertise;
                    retain;
                }
            }
        
            /* If you have declared 192.0.2.0/24 as a bogon add this entry. */
            martians {
             192.0.2.1/32 exact allow;
            }
        
            autonomous-system <your AS here>;
        }
        
        protocols {
            bgp {
                group CYMRU {
                    type external;
                    description "peering to receive bogons from CYMRU";
                    import CYMRU-bogons-in;
                    authentication-key "secretkey"; # SECRET-DATA
                    export deny-all;
                    peer-as 65333;
                    multihop 255;
                    neighbor <bogon rs IP>;
                    family inet {
                        unicast {
                            prefix-limit {
                                maximum 100;
                                teardown 100;
                            }
                        }   
                    }
                }
            }
        }
        
        policy-options {
            policy-statement CYMRU-bogons-in {
                term 1 {
                    from {
                        protocol bgp;
                        as-path CYMRU-private-asn;
                        community CYMRU-bogon-community;
                    }
                    then {
              /* backup in case no-export is cleared internally */
                        community add dont-announce;
                        next-hop 192.0.2.1;
                        accept;
                    }
                }
                then reject;    #  default action
            }
        
            policy-statement deny-all {
                then reject;
            }
        
            community dont-announce members <your as here>:<some community that supresses anouncements outside your as>; 
        
            community CYMRU-bogon-community members [ no-export 65333:888 ];
        
            as-path CYMRU-private-asn 65333;
        }

Force10 router example:

        router bgp <your asn>
         neighbor IPV4_BOGONS peer-group
         neighbor IPV4_BOGONS route-map CYMRUBOGONS in
         neighbor IPV4_BOGONS distribute-list CYMRU-OUT out
         neighbor IPV4_BOGONS maximum-prefix 100 90
         neighbor IPV4_BOGONS soft-reconfiguration inbound
         neighbor IPV4_BOGONS no shutdown
         neighbor x.x.x.x remote-as 65333
         neighbor x.x.x.x peer-group IPV4_BOGONS
         neighbor x.x.x.x description <your description>
         neighbor x.x.x.x ebgp-multihop 255
         neighbor x.x.x.x password <your password>
         neighbor x.x.x.x no shutdown
        ! Set a bogon next-hop on all routers that receive the bogons.
        ip route 192.0.2.1 255.255.255.255 null0
        !
        ! Configure a community list to accept the bogon prefixes into the
        ! route-map.
        ip community-list CYMRU_COMMUNITY
         permit 65333:888
        !
        ! Configure the route-map.  Remember to apply it to the proper
        ! peering sessions.
        route-map CYMRU_BOGONS permit 10
         description Filter bogons learned from cymru.com bogon route-servers
         match community CYMRU_COMMUNITY
         set next-hop 192.0.2.1
        !
        ip prefix-list CYMRU_OUT
         seq 5 deny any

OpenBSD's bgpd project can also be used to peer with the bogon route-servers. Our thanks to Pete Vickers for this example.

OpenBSD bgpd example:

        # config snippet for /etc/bgpd.conf
        #
        # Based on config by Pete Vickers 05/2004.
        #
        # Modified slightly to intermingle with pf, and
        #   also to apply policy to cymru-sourced routes
        #   received from IBGP peers.
        #
        # Configure sessions with cymru reprobates
        #
        group "peering bogon" {
          remote-as 65333
          local-address <MY-ROUTER-IP>
          multihop 64
          announce none
          max-prefix 1000
          tcp md5sig password <PASSWORD>
          neighbor <BOGON-ROUTE-SERVER-1-IP>
          neighbor <BOGON-ROUTE-SERVER-2-IP>
          # ... etc
        }
        #
        #
        # What to do with updates (can be used with updates from
        # cymru peers, and also from IBGP peers if other routers
        # in this AS also take a bogon feed). The "nexthop
        # blackhole" is a little extraneous given the pf config,
        # worth keeping in case the packet filter is disabled
        # at any point.
        #
        allow from any community 65333:888 set pftable "bogons"
        allow from any community 65333:888 set nexthop blackhole


        # config snippet for /etc/pf.conf
        #
        table <bogons> persist
        #
        # no bogon sources or destinations
        block quick from <bogons> to any
        block quick from any to <bogons>

With the advent of multiple bogon route-servers, the use of BGP peer-groups on Cisco routers is very convenient. Thanks to John Brown for the original example.

Peer-groups example:

 router bgp <your asn>
  neighbor cymru-bogon peer-group
  neighbor cymru-bogon ebgp-multihop 255
  neighbor cymru-bogon description <general description>
  neighbor cymru-bogon prefix-list cymru-out out
  neighbor cymru-bogon route-map CYMRUBOGONS in
  neighbor cymru-bogon maximum-prefix 100 threshold 90
 !
  neighbor x.x.x.x remote-as 65333
  neighbor x.x.x.x peer-group cymru-bogon
  neighbor x.x.x.x description <specific description>
  neighbor x.x.x.x password <your password>

If none of these methods will work for you then please contact us for assistance. We are also eager to hear your suggestions on other filtering methods!

How Do I Obtain a Peering Session?

To peer with the bogon Route Server, contact team-cymru@cymru.com. When requesting a peering session, please include the following information in your email:

Your AS number
The IP address(es) you want us to peer with
Does your equipment support MD5 passwords for BGP sessions?
Optional: your GPG/PGP public key

We will typically provide multiple peering sessions (at least 2) for redundancy. If you would like more or less than 2 sessions please note that in your request. We try to respond to new peering requests within one business day.

Remember that you must be able to accomodate up to 100 prefixes and be capable of multihop peering with a private ASN. If you improperly configure your peering and route all packets destined for bogon addresses to the bogon route-servers, your peering session will be dropped.

Credits

Thanks to John Brown for the configuration example.

Thanks to Roy Engehausen for catching some errors and suggesting some enhancements.

Thanks to Pete Vickers for the original OpenBSD bgpd configuration example.

Thanks to Joe Abley for enhancing the OpenBSD bgpd configuration example.

Thanks to Marko Veelma for spotting some additional errors.

Thanks to Taka Mizuguchi and Tak Morinobu for the Japanese translation of this page.

The free bogon filters, monitoring, and tracking are supported thanks to the kind donations of peering, hosting, gear, and time from several individuals and organizations. If you would like to donate to the cause, be it a peering session, old gear, or good coffee :), contact Team Cymru.

We hope these links, references, and monitoring is useful to you. Please share your suggestions, comments, and references with us! Direct your comments to team-cymru@cymru.com.