Ever been stumped by strange entries in your firewall logs? Or perhaps you’ve seen the term “bogon” in a network security report and wondered what it meant. You’re not alone. While it might sound like a creature from a sci-fi movie, a bogon is a very real and important concept in network security.
Understanding what bogon IPs are and how to handle them is a fundamental step in building a robust defense-in-depth security posture. In this ultimate guide, we’ll dive deep into the world of bogons, explaining what they are, the severe risks they pose, how to filter them, and the best practices for keeping your network secure.
What Exactly is a Bogon IP Address?
In the simplest terms, a bogon IP address is an IP address that should not be routable on the public internet. It’s an illegitimate, unassigned, or reserved address that has no official, allocated purpose for public communication. Think of it as a letter with a fake or non-existent return address—any communication from it is immediately suspicious.
The internet’s address book is managed by a global organization called the Internet Assigned Numbers Authority (IANA). IANA doesn’t hand out IPs directly to users. Instead, it allocates massive blocks of IP addresses to five Regional Internet Registries (RIRs):
- ARIN (American Registry for Internet Numbers) – North America
- RIPE NCC (Réseaux IP Européens Network Coordination Centre) – Europe, the Middle East, Central Asia
- APNIC (Asia-Pacific Network Information Centre) – Asia and the Pacific region
- LACNIC (Latin America and Caribbean Network Information Centre) – Latin America and the Caribbean
- AFRINIC (African Network Information Centre) – Africa
These RIRs then assign smaller blocks to Internet Service Providers (ISPs), cloud providers, and large organizations.
A bogon IP falls into one of two main categories:
- Private and Reserved IPs: These are address ranges specifically reserved by IANA for special uses, such as internal private networks (LANs) or loopback testing. They were never intended to be seen on the public internet.
- Unallocated IPs: These are IP address blocks that IANA has not yet assigned to any RIR. They are, for all intents and purposes, unused and have no legitimate owner. This list of unallocated IPs shrinks over time as more addresses are needed and put into circulation.
Common Bogon IP Ranges You Should Know (IPv4)
While the list of unallocated IPs is dynamic, the private and reserved ranges are fixed. Any traffic from these ranges seen on the public internet is a major red flag.
| CIDR Range | Purpose | Common Use Case |
|---|---|---|
0.0.0.0/8 | “This network” | Source address for a host acquiring an IP via DHCP. |
10.0.0.0/8 | Private Network | Large corporate networks. |
127.0.0.0/8 | Loopback | 127.0.0.1 (localhost) is used by a computer to refer to itself. |
169.254.0.0/16 | Link-Local | Automatic Private IP Addressing (APIPA) when a DHCP server is unavailable. |
172.16.0.0/12 | Private Network | Medium to large private networks. |
192.168.0.0/16 | Private Network | Small office/home office (SOHO) networks, like your home Wi-Fi. |
192.0.0.0/24 | IETF Protocol Assignments | Reserved for special protocol purposes. |
224.0.0.0/4 | Multicast | Used for streaming media and other one-to-many communications. |
240.0.0.0/4 | Reserved (Class E) | Reserved for future or experimental use. |
What About IPv6 Bogons?
Yes, bogons exist in the IPv6 world too! The principles are the same: these are addresses that shouldn’t be routed on the global internet. This includes the unique local addresses (fc00::/7), the loopback address (::1/128), and the vast swaths of IPv6 space that are not yet allocated by IANA. Effective bogon filtering must account for both IPv4 and IPv6.
Why are Bogons a Serious Security Risk?
If these addresses are illegitimate, why should you care? Because malicious actors love to use them for their anonymity. By spoofing (faking) a bogon IP, attackers can mask their true origin, making them incredibly difficult to trace.
Here are the primary security threats associated with bogon traffic:
- DDoS Attacks: Attackers can use spoofed bogon source IPs to launch Distributed Denial of Service (DDoS) attacks. Your server is flooded with junk traffic from untraceable sources. When your system tries to send a response, it goes nowhere, tying up resources and overwhelming your network.
- Network Scanning and Reconnaissance: Hackers often use bogon addresses to scan your network for open ports, running services, and other vulnerabilities. They can probe your defenses without revealing their actual location, as the source IP is a dead end.
- Evading Geolocation and Blocklists: Many security systems rely on blocking IPs from certain countries or known bad actors. By using an unallocated bogon IP, attackers can bypass these geographic or reputation-based security rules entirely.
- Identifying Internal Misconfigurations: If you see bogon traffic leaving your network (egress traffic), it’s a major red flag. It indicates a misconfigured device or, worse, a compromised machine on your internal network that is being used as part of a botnet to attack others.
How to Detect and Filter Bogon IPs: A Practical Guide
The primary defense against this type of traffic is bogon filtering. This involves configuring your network’s edge devices—like firewalls and routers—to create rules that automatically drop any packets coming from or going to a known bogon address.
This is accomplished by using a Bogon List, which is a real-time list of all unallocated and reserved IP ranges.
The Two Pillars of Bogon Filtering:
- Ingress Filtering (Inbound): This is the most common and critical type. Your firewall or router inspects all incoming traffic from the internet. If a packet arrives with a source IP address that is on the bogon list, it is immediately dropped. This is your frontline defense.
- Egress Filtering (Outbound): This involves inspecting traffic that is leaving your network. If a device on your internal network tries to send a packet with a bogon IP as its source, it gets blocked. This is crucial for network hygiene and for preventing a compromised machine inside your perimeter from attacking others.
Implementation Steps:
- Acquire a Reliable Bogon List: Do not create this list manually. Use a trusted, dynamically updated source. Team Cymru maintains the industry-standard bogon lists for both IPv4 and IPv6, which are updated multiple times a day.
- Apply to Your Edge Device: Most modern firewalls and Intrusion Prevention Systems (IPS) have built-in capabilities for bogon filtering. You can often enable this with a simple checkbox.
- For Routers and Linux Firewalls (iptables): You may need to apply Access Control Lists (ACLs) or script the process. For example, a script could fetch the latest bogon list from Team Cymru daily and use it to populate an
ipsetin Linux, which can then be used in aniptablesrule to efficiently drop traffic.iptables -A INPUT -m set --match-set bogons-v4 src -j DROP
The Challenge: Keeping Your Bogon List Updated
The biggest challenge with bogon filtering is that the list of unallocated IPs is not static. IANA allocates new blocks of addresses all the time.
If your bogon list is outdated, you risk blocking legitimate traffic. For example, if a new block of IPs is assigned to a major cloud provider and your list isn’t updated, you could accidentally block legitimate services your company relies on. Automation is key. Your system should be configured to automatically fetch and apply the latest list at least once a day.
Frequently Asked Questions (FAQ)
Q1: Is a bogon IP a type of virus? No, a bogon IP is not a virus. It’s simply an address. However, viruses, malware, and attackers use bogon IPs to hide their activities and launch attacks.
Q2: Can my computer be assigned a bogon IP? On your local network, yes. Your home router assigns you a private (bogon) IP like 192.168.1.100. This is normal and expected. However, this private IP should never be visible on the public internet; your router uses Network Address Translation (NAT) to give you a legitimate, public IP for internet communication.
Q3: How often should I update my bogon list? At a minimum, daily. Many security professionals recommend updating every few hours to minimize the risk of blocking newly allocated, legitimate IP space.
Conclusion: A Simple, Powerful First Line of Defense
Bogon filtering isn’t a silver bullet for all security threats, but it is a simple, effective, and fundamental best practice. It’s a powerful first line of defense that filters out a significant amount of malicious scans, DDoS noise, and other junk traffic before it can ever touch your critical systems.
By blocking traffic from these invalid IP addresses, you make your network a much harder target for attackers and gain better insight into the health of your own network. Take a moment to check your firewall and router configurations today. Ensure bogon filtering is enabled and, most importantly, that your lists are being updated automatically. It’s a small step that makes a big difference.
