Since ThreatSTOP's inception, we've provided our customers with an essential blocklist - the Bogon IP list. This blocklist plays a crucial role in enhancing network security by preventing traffic to and from unassigned IP addresses that are often utilized for malicious activities, such as IP spoofing. While it's a common practice to block them for inbound traffic, we firmly believe that restricting outbound traffic is just as critical. In this post, we'll delve deeper into the significance of blocking bogon IPs both ways.

What are Bogons?

Bogons are IP addresses that should not be the source (or destination) of traffic on the public internet. As Team Cymru defines them:

A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPNs or other tunnels) should never have an address in a bogon range. These are commonly found as the source addresses of DDoS attacks.[...]

Bogons are defined as Martians (private and reserved addresses defined by RFC 1918RFC 5735, and RFC 6598) and netblocks that have not been allocated to a regional internet registry (RIR) by the Internet Assigned Numbers Authority.

Team Cymru also notes that Bogon IPs are frequently used in DDOS attacks, and they can be used in other attacks where no TCP connection is required. For example, there have been ways to crash DNS servers by sending them a single malformed packet. Bogon IPs are typically leveraged to target the network uplink, the firewall, or servers like DNS servers in the DMZ (see link above). However, they can also be used sneakily to manipulate the firewall into attacking an internal host by setting the originating IP address as the internal RFC1918 address of the host. This assumes that the attacker has access to the address and the firewall has no rule to prevent it. Unfortunately, both scenarios are common. These types of inbound attacks are the primary reasons why blocking traffic from bogon IPs is crucial, and they remain a valid reason to do so.

Importance of Outbound Bogon Traffic

Another use for Bogons that is not so obvious makes it even more important to include Bogons in policies for outbound traffic too. Bogons addresses like 0.0.0.0 can serve as placeholders for DNS names registered by cybercriminals for malicious activities such as attacks or DNS Domain Generation Algorithms (DGAs). Even if the attackers forget to update the Bogon entry before launching their attack, infected devices may still try to use DGA domains associated with Bogon addresses, causing internal network devices to resolve the domains and send packets to those destinations. Spotting DNS lookups and outbound traffic of this sort is a way to detect malware inside your network. But, due to the thousands of domains resolving to Bogon IPs like 0.0.0.0 at any given moment, identifying the specific malware can be challenging. While a domain attempting to connect to a Bogon address may not always be malicious and could simply be a configuration error, any internal address attempting to do so is still considered suspicious. If multiple internal hosts are making such attempts, it's likely due to malicious activity.

Bogons and DNS Tunneling

In addition to misconfiguration, Bogon addresses may appear in DNS results when someone is using DNS Tunneling to exfiltrate data from your network, or perform malware downloads. In these cases, you may see bogon addresses as some of the responses to queries such as the following in your DNS logs:

  • s3afx5chqo1tbzfvwih4shoumoja9999.orarl2z4aez54uyrpmrzk6y9.cbox4[.]ignorelist[.]com
  • y3qiohi9.5hlays2gm5452jmnb1u1u6d2y6na9999.hq1uwciaky999999[.]claudfront[.]net

Devices in an enterprise rarely have legitimate reasons to use DNS tunneling, so if a computer is making such queries, it is likely engaged in unauthorized activity.

 

Leveraging ThreatSTOP Reporting

This is where ThreatSTOP's log analysis comes in handy. By ensuring that the Bogon target is in your policy (see image below), and uploading the logs to ThreatSTOP, you can be alerted to these kinds of potential threats and get ahead of the attackers.

bogonpolicyBogon target in the ThreatSTOP policy editor

 

Blocking outbound bogon connection attempts is beneficial because it provides time for analysis before the cybercriminals realize their mistake. The quicker you can be alerted to a potential problem, the better. By creating an alert in ThreatSTOP reporting you can be informed as soon as something attempts an outbound connection to a bogon address. You do this in the reporting section of the ThreatSTOP admin portal. Edit the filter so that you have the Bogon target selected (and for IP policies that you have selected outbound traffic) and then click on alerts (or reports if you just want a daily report instead).

bogonflter

bogonalert

Alerts are a valuable tool for MSPs and large enterprises, as they provide a notification to the SOC or equivalent when a security breach occurs, without overwhelming them with unnecessary information. By setting up the alert to be sent to the organization's support ticketing system, it can be automatically directed to the appropriate security or support personnel for further investigation and, if necessary, remediation. While a single Bogon hit may not be an immediate threat like ransomware, setting the alert threshold to a higher number, such as 1 or 2 per hour, can help avoid false positives while ensuring actual malware call-homes are not missed.

Not a ThreatSTOP customer yet? Want to see ThreatSTOP instantly eliminate attacks on your network, or how it can effectively grow your MSP services?

Get a Demo See MSP Solutions