Home 0P3N Blog Applying Bogon Access Lists to Networking Gear
Ready to Start Your Career?
Create Free Account
Sean Mancinis profile image
By: Sean Mancini
May 24, 2017

Applying Bogon Access Lists to Networking Gear

By: Sean Mancini
May 24, 2017
Sean Mancinis profile image
By: Sean Mancini
May 24, 2017

network-rsz

Hello all,

Here is a little snippet of information on the importance of applying an access list to your edge router to IP blocks that are listed on the bogon list.

What is the bogon list? The bogon list is a list of IP subnets that are either invalid non-routable IP blocks such as 192.168.0.0, or IP blocks that are not assigned.  It is important to block these IP blocks from accessing your network as it eliminates the chance of a hacker spoofing his/her source IP address for an internal IP address for instance with Nmap we can issue the following command to spoof our source IP address when scanning a target.

nmap -S 192.168.0.1 192.168.1.1 -e eth0 -PN

Now if you did not have an access list to block incoming traffic from this non-routable IP 192.168.0.1. The spoofed IP packet will then be able to pass through your router.

Here is a current bogon list that can be copied and pasted into a Cisco IOS device. Copy from below the line.


conf t

no access-list 101

access-list 101 deny ip 0.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 100.64.0.0 0.63.255.255 anyaccess-list 101 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 169.254.0.0 0.0.255.255 anyaccess-list 101 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 101 deny ip 192.0.0.0 0.0.0.255 anyaccess-list 101 deny ip 192.0.2.0 0.0.0.255 anyaccess-list 101 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 101 deny ip 198.18.0.0 0.1.255.255 anyaccess-list 101 deny ip 198.51.100.0 0.0.0.255 anyaccess-list 101 deny ip 203.0.113.0 0.0.0.255 anyaccess-list 101 deny ip 224.0.0.0 31.255.255.255 anyaccess-list 101 permit ip any any

end

conf tint f0/0ip access-group 101 inend

write


The above access list will block all the IP blocks on the bogon list. This small step should be a part of network security best practices. For any sized network, it's simple to apply and can stop many types of attacks. For the latest IPv4 and IPv6 bogon list visit: http://www.team-cymru.org/bogon-reference.html

Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry