Blocking Bogon IP Addresses

I have been using Look'N'Stop for several years, and have recently come across a list of Bogon addresses that should be blocked if they are not needed on the network. These addresses are supposedly not to be routed over the internet, but some of the addresses such as 192.168.x.x are normally used with routers.

What I would like more information about is how to place these addresses in Look'N'Stop in order to block them in and outbound from my IP address. I would also like to totally block any of these IP addresses that are not needed on my LAN. The Bogon list is as follows:

0.0.0.0/7
2.0.0.0/8
5.0.0.0/8
10.0.0.0/8
23.0.0.0/8
27.0.0.0/8
31.0.0.0/8
36.0.0.0/7
39.0.0.0/8
42.0.0.0/8
46.0.0.0/8
49.0.0.0/8
50.0.0.0/8
100.0.0.0/6
104.0.0.0/5
112.0.0.0/7
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
173.0.0.0/8
174.0.0.0/7
176.0.0.0/5
184.0.0.0/7
192.0.2.0/24
192.168.0.0/16
197.0.0.0/8
198.18.0.0/15
223.0.0.0/8
224.0.0.0/3

Frederic, Phant0m, Cleminole or anyone having the knowledge of how to add these addresses to Look'N'Stop, I need to know how if there is benefit.

Sincerely,
Daniel

 

Hi Daniel,

Yes, you can add rules to block these IP address for a better protection.

You need to create one rule per address (i.e per line from your post), then for each rule, select IPV4 protocol for ethernet Type, and on the right side of the rule edition (destination PC>>Net / Source Net>>PC):
- select the Mask Criteria
- just below enter the base IP address (0.0.0.0 for the 1st rule, 2.0.0.0 for the 2nd rule...)
- and just below you have to enter the mask for the sub-network, based on the last number you gave: "/x" => x is the number of 1's on the left when writing the IP address in binary format.
Typical values:
/8: 255.0.0.0
/16: 255.255.0.0
/7: 254.0.0.0
/12: 255.240.0.0

Regards,

Frederic

 

Hi Frederic,

Just curious on a point,

I can understand a need to create specific rules, but, if I was to place a raw rule with blocking, then place differnt IP`s within all fields to check the same entry, would that work correctly?

Regards,

Stem

 

Hi Stem,

Yes, with a raw rule edition, you can configure several IP address.
To do so, you need to select OR in "operator with next field" group on the field selecting the IP address (it has to remain AND for the first field selecting the Ethernet Type).
Since there is a maximum of 16 fields, and you need one for the Ethernet Type, normally with one raw rule, you can configure up to 15 IP address (with mask).

Selecting operators between fields is not available with the standard rule edition where it is bacically an AND between all fields you will select in the dialog box.

Regards,

Frederic

 

Frederic,
I thank you for reply and explanation,

I was looking at the "and" / "or" for these fields, I think I can understand these better, I think.

I am just trying to fully understand, with a point of being able to explain to others

Thank you for your time,

Best Regards,

Note,
I did see that when a rule is activated, that it allows all to use the rule. I did actually think that rules with application would only allow that application.

 

Yes, the application filtering and internet filtering are independant, and the feature is just to disable/enable the rule when an application disconnects/connects, but the rule is not specific to an application.
The feature was introduced mainly for server applications which require to open a port for incoming connections. It avoids to let the port open when the server application is not started. Note that only one application can open a port in server mode (so here, the rule is only for that application).
For client applications, if you want to be sure they are using specific ports, then the selection has to be done directly in the application filtering.

Frederic

 

Can you offer an example of how the IP would go into the "mask" area?
For instance 0.0.0.0/7. How would I mask this?

 

all of those adresses are non-routable.

it's not that theyre not 'supposed' to be routed, it's downright *impossible*

i fail to see the point in blocking said ip ranges, when they'd never even reach your network.

how on earth can you possibly gain "better protection" by denying traffic from an adress that you by the very design of tcp/ip CAN'T receive?

i haven't heard of look'n'stop before, but your curious statements made *me* curious.
the website is full of factual errors and poor language. i'm not convinced.

 

Hi Cereal Gnome,

Just use Frederic's typical values that he posted... 0.0.0.0/7 = 1stIP-field: 0.0.0.0, 2ndIP-field: 254.0.0.0 (0.0.0.0/254.0.0.0).


ethernal, you have 29 posts on wilders but you never heard of Look 'n' Stop before now? ... Ever hear of spoofed attacks?, you should googleIT.

 

yep, sorry guys, never even heard of it before. i don't deal with end-users in my line of work, and the professional community around me has never mentioned it.

and well, due to 1. not routable 2. netmask settings your os tcp/ip stack wouldn't even deliver the offending packets to the corrrect destination (service), you'd have to find a flaw in the stack to actually use it.

spoofing is mostly used to fake MAC and fragment your TTL and TCP sequence numbers to try and hide your presence on a LAN/fake your own operating systems.

over the internet, i'd say it's not an issue. if you really want to have a go at someone you'd use half-open relays instead.

 

Hi Frederic,

Thank you for clarification.

Regards,

 

There are a number of sites that will explain CIDR and show direct conversion.

Have a look here (Prefix aggregation):- http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

 

Yes, I agree from internet, you should normally never receive packets with these address.
However, on a local network, what would prevent you to receive this packets ?
For instance imagine an attack on a DHCP server which suddenly start giving address in one of the mentioned range, and suppose there is one infected PC on the Local network. Blocking these IP may help.

Also if suddenly by mistake your provider gives you (and others) IPs in one of the mentionned ranges, and if you have no router but connected directly to the gateway of you provider, blocking all these IP could help.

Of course all these statements are hypothetical, but one way (maybe paranoiad) to configure a firewall, is to block everything that is not necessary, even if this is strange and not supposed to happen.

Frederic

 

Frederic:
Blocking specific adresses feels like a backward way of doing things, i'd prefer explicitly allow certain traffic

 

... since when does anything Microsoft related work accordingly? ;P

An individual on LAN who's normally using IP address 192.168.0.3 could easily enough IP spoof using an private address from any private network (... 10., 192.168., 172.16.) and connect to a service running on machine 192.168.0.2. ethernal, if a person experienced this, it wouldn't be mere traffic. And IP spoofing using private addresses is very common and can be very dangerous, .. I already have done my homework!


While you wouldn't expect to see private addresses coming in directly from Internet, it's very possible and very common when using different p2p softwares. Also very easy for an individual over Internet to send spoofed IP packets using any private address, .. and many different exploits relies on just sending a single packet to exploit running service or TCP/IP stacks.

Ohhh, and also allowing traffic can very well likely be used against a person..


Regards,
Phant0m``

 

Would you consider it useful to mask the following IP: 127.0.0.1
If so, what would be the correct mask that would allow only 127.0.0.1 and no others in the 127.X range?

 

Hi Cereal Gnome,

Yes, you can mask Loopback address.

Though, when you wanting to apply a rule for specific IP address, you wouldn't need masking, just select 'IP: address' / 'Equals' instead of 'Mask' on Look 'n' Stop - 'Rule Editing' screen.


Regards,
Phant0m``