Difference between revisions of "Automatic Bogon Firewalling Using uRPF and Team Cymru"
Line 1: | Line 1: | ||
+ | A "bogon" is a prefix (IP subnet) that shouldn't be on the internet. These include RFC1918 private IP addresses, as well as public IP blocks that haven't been assigned to companies by their local RIR. The folks over at [http://www.team-cymru.org/ Team Cymru] have a great list of all the IPv4 and IPv6 bogons. It's updated frequently, and is available as static text files or a BGP feed. | ||
+ | |||
+ | Routers have an option called a uRPF check, short for Unicast Reverse Path Forwarding, which looks at an incoming packet and compares the source address against the routing table. If the packet was received on the same interface that the router would use for the return traffic, the packet is allowed though. Otherwise, it gets discarded. Combine this with the bogon routes you get from Team Cymru, and you've got automatic bogon filtering. | ||
+ | |||
+ | Why might you want it? | ||
+ | * DDoS attacks may have spoofed source IPs, which could include bogon IPs. | ||
+ | * Some nefarious people may be cyber squatting on some unassigned IPs, and using them for any number of less-than-good purposes. | ||
+ | * You've set up a dark net. Instead of dropping packets from bogons, you could redirect them to a collector. | ||
+ | * You want to be the Alpha Nerd. | ||
+ | |||
<PRE> | <PRE> | ||
ip bgp-community new-format | ip bgp-community new-format |
Revision as of 12:11, 8 November 2013
A "bogon" is a prefix (IP subnet) that shouldn't be on the internet. These include RFC1918 private IP addresses, as well as public IP blocks that haven't been assigned to companies by their local RIR. The folks over at Team Cymru have a great list of all the IPv4 and IPv6 bogons. It's updated frequently, and is available as static text files or a BGP feed.
Routers have an option called a uRPF check, short for Unicast Reverse Path Forwarding, which looks at an incoming packet and compares the source address against the routing table. If the packet was received on the same interface that the router would use for the return traffic, the packet is allowed though. Otherwise, it gets discarded. Combine this with the bogon routes you get from Team Cymru, and you've got automatic bogon filtering.
Why might you want it?
- DDoS attacks may have spoofed source IPs, which could include bogon IPs.
- Some nefarious people may be cyber squatting on some unassigned IPs, and using them for any number of less-than-good purposes.
- You've set up a dark net. Instead of dropping packets from bogons, you could redirect them to a collector.
- You want to be the Alpha Nerd.
ip bgp-community new-format
ip community-list expanded CYMRU-BOGONS permit 65000:888 ip route 192.0.2.1 255.255.255.255 Null0 name NULL_ROUTE_FOR_CYMRU_BOGONS route-map CYMRU-BOGONS permit 10 description BOGONS LIST FOR URPF FILTERING match community CYMRU-BOGONS set ip next-hop 192.0.2.1 ip prefix-list CYMRU-OUT seq 10 deny 0.0.0.0/0 le 32
router bgp 65504 bgp log-neighbor-changes neighbor CYMRU peer-group neighbor CYMRU remote-as 65000 neighbor CYMRU description CYMRU BOGONS LIST neighbor CYMRU ebgp-multihop 255 neighbor CYMRU password 7 1234567890 neighbor CYMRU update-source Loopback6 neighbor 2000:B00:B00:10::2 peer-group CYMRU neighbor 2000:C00:C00:10::2 peer-group CYMRU address-family ipv4 neighbor CYMRU soft-reconfiguration inbound neighbor CYMRU prefix-list CYMRU-OUT out neighbor CYMRU route-map CYMRU-BOGONS in neighbor 2000:B00:B00:10::2 activate neighbor 2000:C00:C00:10::2 activate no auto-summary no synchronization exit-address-family
access-list 100 remark ---- ACL FOR URPF ---- access-list 100 permit udp any eq bootps any eq bootpc access-list 100 deny ip any any interface FastEthernet0 description EXTERNAL ip verify unicast reverse-path 100
ip prefix-list CYMRU_NAT-T_FIX seq 10 permit 192.168.0.0/16 route-map CYMRU-BOGONS deny 5 description TO FIX NAT-T match ip address prefix-list CYMRU_NAT-T_FIX match community CYMRU-BOGONS