Hunting for bogons and the ISPs that announce them

In the coming weeks, I will be monitoring bogons in the wild and the ISPs that announce them. But first, what the heck is a bogon anyway? Bogon is an informal term used to describe IP packets on the public Internet that claim to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or any of the Regional Internet Registries (RIR).

Many ISPs filter bogon ranges, because they have no legitimate use traversing the internet. If you find a bogon in your firewall logs it is likely due to someone either accidentally misconfiguring something or intentionally creating them for malicious purposes.

Bogons may change to legitimate source IPs over time as they are allocated and assigned by IANA or a RIR, meaning there is no static list of bogons. A current list of all IPv4 prefixes that have been allocated or not by IANA can be found here. Only Martians will remain forever on the bogon list.

Marvin the Martian
© Warner Bros.

No, not that Martian. In IP networking, Martians are packets with source or destination addresses within special-use ranges such as:

Address block Present use “This” network[5] Private-use networks (Class A)[6] Carrier-grade NAT[7] Loopback[5] Link local[9] Private-use networks (Class B)[6] Private-use networks (Class C)[6] Multicast[13]

Now that we have a basic definition of a bogon established, where can we find an up-to-date list of bogon IP ranges? The only recently updated list I could find was provided by Country IP Blocks and they offered a complete bogon list in eleven different ACL Formats.

So how do we locate ISPs letting bogons onto the internet? Luckily this is easy as visiting Hurricane Electric’s Bogon Routes page.

M247 Ltd

One such ISP I found was M247 Ltd (previously known as GlobalAXS Communications).  I contacted them on July 11 and asked for comment.  I didn’t receive a follow up until July 24 when an unnamed M247 support representative stated:

As you can see from the HE site we are no longer announcing these prefixes. I am not authorised to comment any further.

I again asked if someone was authorized to comment further and received the following update on July 27:

I have spoken to our management who have authorised me to give you a further statement.

This was accidental misconfiguration on one of our devices which meant that some RFC1918 prefixes [private IP addresses] were tagged with our announce community. This has been rectified and the member of staff responsible re-trained.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.