A bogon is an illegitimate IP address that falls into a set of IP addresses that have not been officially assigned to an entity by an internet registration institute, such as the Internet Assigned Number Authority (IANA). Bogons arise as a result of a misconfiguration or intentional misuse that fools recipients about its source IP address. The term bogon is used as slang and is derived from the word bogus.
How does a bogon work?
IP addresses are used by the internet infrastructure to uniquely identify an entity, such as a website or server. IANA, or other regional internet registries, allocates each instance over a network and IP address. Once assigned, these addresses are then used to perform communication between two endpoints.
The range of registered IP addresses is known as the reserved space. A bogon occurs when its IP address does not fall into this registered range, or is part of the address space known as the bogon space.
Some IP addresses may only be considered a bogon temporarily, as the IANA registry is constantly updating and assigning new address spaces. Private IP addresses can fall under the bogon description as they cannot be found on the public internet.
Risks associated with bogons
Bogons are not normally visible over a network but are still a prime target for exploitation. For example, they are commonly used by hackers or spammers when initiating a distributed denial-of-service (DDoS) attack. This is because bogon packets cannot be traced back to an actual host or source.
Additionally, bogons can be used to launch Transmission Control Protocol (TCP) SYN scanning attacks and to secretly transfer malicious information. While bogons should never appear in the routing table, routers will not detect bogons as they only examine the destination IP address rather than the source IP address.
Prevention of bogons
Many internet service providers (ISP), firewalls and intrusion prevention systems block bogons. This can be accomplished through bogon filtering, or the practice of assigning access control lists (ACL) or Border Gateway Protocol (BGP) blacklists to a device. A list of bogons can be obtained from a variety of sources including HTTP, BGP peering, routing registries and the DNS.
If a bogon becomes legitimate, it can usually be found on the network operator’s mailing lists so that the address can be removed from filters. An organization may want to consider a software tool, such as RuleGate, that dynamically blocks and unblocks bogons on devices.