For the love of god, update your “Bogon” list.
For those not familiar, I am a director in a small web hosting company called Web In A Box (http://www.webinabox.net.au).
Earlier this year we were allocated our first shiny, new, IP allocation from the local RIR, APNIC. For what should’ve been a happy happy time for us, turned sour, quickly.
After migrating a good chunk of our infrastructure into our new IP space, it become apparent that something was a bit off with our IP space. We started running into all kinds of connectivity issues, even with some of our own machines overseas!
After some investigation it appeared that our IP space was in fact, quite new and shiny. So new and shiny infact, that a good chunk of the internet still thought the “supernet” (220.127.116.11/8) it came from was still unallocated!
I’ll stop here and provide a bit of backfill so you can understand the situation. Nasty people on the internet (spammers, DoS’ers etc) have long hi-jacked other people’s IP space, or even hi-jacked unallocated space, in an attempt to evade blacklisting/firewalling. In an attempt to thwart the mean men, several “Bogon” lists were published with (at the time) unallocated IP blocks, so people could firewall/blacklist them, so mean men couldn’t use them for the forces of evil.
As the story often goes in IT, the usual churnover of staff meant these bogon lists often went unattended as time went on. This was seemingly fine for a while, until the unthinkable happened. The internet started running low on IPv4 space, so those “Bogon” ranges started being allocated out to people who needed them (like us) and because these filters weren’t being maintained, connectivity to these new IP addresses was being blocked!
Now, back to the story. Because of the very nature of these lists and the fact they’ve often gone unattended and been completely forgotten about, getting them removed is a complete pain in the ass. We’ve had people flat out deny they’ve even got “Bogon” blocks in place, only through insistence on our part have they gone and checked and eventually rectified the problem.
So, where to go from here? Well, there’s plenty of debate on the ‘tubes over the ongoing effectiveness of “Bogon” filtering, but for the people who think it’s a good idea, how do they implement it without it becoming a ticking time bomb next time someone forgets it?
Well, The guys at Team Cymru (http://www.team-cymru.org/) have released a BGP ‘Black-hole’ service which fits the bill quite nicely. We ourselves have turned up a BGP session with them and we’re currently receiving 26 prefixes from their route reflectors. We use a simple route-map to install a null routed next hop, from the routes we receive from them. If you’re worried that the cymru guys could send you some nasty routes and blow your network up, you can simply do what we’ve done– We’ve set up a prefix list with the current “Bogon” prefixes allowed, but nothing more. Because IPv4 is running out, the likelyhood of something being added to the “bogon” list, is slim to none, so doing this prevents the Cymru guys sending us any prefixes we wern’t otherwise expecting, but they’re free to withdraw any they like, as the space gets consumed.
So if you’re currently running “Bogon” filtering within your network please, please, PLEASE consider switching to the Cymru BGP feed, or at worst, set some kind of automatic script, based on the lists they publish. We’d REALLY appreciate it.
Comments are closed.