Blocking Boguns
I like revisiting the basics from time to time. It just seems like a good idea to me to go back and make sure you've got a good foundation to work from before moving on to more complex tasks. And by taking another look at the simple stuff from time to time, it helps me understand and remember how it relates to the more esoteric security considerations we sometimes run into.
One of the things the developers did in the Cobia firewall module was to automatically create a final firewall rule that drops all traffic. This is the good, old, "if it's not explicitly allowed, it's denied" rule. It's a simple rule, with not much to it, but it's one I've seen forgotten more than once. Having it created by default means one more thing you don't have to worry about.
When I was recently in Texas at TRISC, I got to sit down and listened to Mark Loveless, aka Simple Nomad, talk about evading IPS/IDS. One of the methods he mentioned was how hackers use 'dark' or unused IP addresses to perform reconnaissance and attacks against networks. Some of these are addresses that have been assigned but aren't currently used, such as spare public IP addresses, but a large number of them are bogons.
What are bogons? According to the Team Cymru Bogon Reference page, "A bogon prefix is a route that should never appear in the Internet routing table." In other words, a bogon is an IP address no one should be using. And since no one should ever be using IP addresses from the bogon list, there's no reason we should be allowing this traffic into or out of our networks.
Creating an ingress and egress filters to deal with the bogon list is fairly simple but will take a few minutes to set up the first time since the list is fairly long. Team Cymru has provided the list in several forms, and updates it regularly to remove allocated addresses and add disputed or unused ones. While you're creating these filters, I'd suggest adding another to block inbound traffic that originates from your own subnet range; there's no reason you should ever see this type of traffic, so block it.
Blocking the bogon addresses is a simple process, but it's one we often overlook in a firewall installation. It probably won't make a difference in your day to day networking, but if it gives someone trying to scout out your network one more hurdle to overcome, I think it's worth doing. If you've got a good foundation to work from, then when the more complex problems come up, you've got your basis covered.
Great information. Such programmers are needed out here in cyber land, where even the US government is subject to hackers probably using just such bogons.
I never heard of a bogon before, and not sure how persons get ahold of IP addresses that are not being used by some entity. That would be an interesting addition the article. How is that done, or maybe you left out on purpose.:-)
Posted by: Lynn | November 09, 2007 at 07:53 PM