Applying Bogon Access Lists to Networking Gear

May 24, 2017 | Views: 2585

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello all,

Here is a little snippet of information on the importance of applying an access list to your edge router to IP blocks that are listed on the bogon list.

What is the bogon list? The bogon list is a list of IP subnets that are either invalid non-routable IP blocks such as 192.168.0.0, or IP blocks that are not assigned.  It is important to block these IP blocks from accessing your network as it eliminates the chance of a hacker spoofing his/her source IP address for an internal IP address for instance with Nmap we can issue the following command to spoof our source IP address when scanning a target.

nmap -S 192.168.0.1 192.168.1.1 -e eth0 -PN

Now if you did not have an access list to block incoming traffic from this non-routable IP 192.168.0.1. The spoofed IP packet will then be able to pass through your router.

Here is a current bogon list that can be copied and pasted into a Cisco IOS device. Copy from below the line.


conf t

no access-list 101

access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 100.64.0.0 0.63.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.0.0 0.0.0.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 198.51.100.0 0.0.0.255 any
access-list 101 deny ip 203.0.113.0 0.0.0.255 any
access-list 101 deny ip 224.0.0.0 31.255.255.255 any
access-list 101 permit ip any any

end

conf t
int f0/0
ip access-group 101 in
end

write


The above access list will block all the IP blocks on the bogon list. This small step should be a part of network security best practices. For any sized network, it’s simple to apply and can stop many types of attacks. For the latest IPv4 and IPv6 bogon list visit: http://www.team-cymru.org/bogon-reference.html

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
1 Comment
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel