What Are Bogon IP Addresses?
A bogon IP address falls into one of two categories. The first category is unallocated space – addresses that IANA has not yet assigned to any regional internet registry. The second category is reserved space – addresses set aside by official RFCs for special purposes like private networking, testing, or loopback functions.
Bogons behave like mail from a made‑up street address. The postal service has nowhere to return that letter, so the legitimate recipient cannot reply. Attackers spoof bogons to hide their tracks. Consequently, bogon filtering is a critical security practice.
Difference Between Bogon IPs and Normal Public IPs
| Feature | Normal Public IP | Bogon IP |
|---|---|---|
| Allocated by IANA or RIR | ✅ Yes | ❌ No |
| Routable on public internet | ✅ Yes | ❌ No |
| Can appear as source or destination | ✅ Yes | ❌ Should never appear |
| Filtered by ISPs at network edge | ❌ No | ✅ Yes |
| Used in DDoS attacks legitimately | ❌ No | ✅ Often used for spoofing |
Why Bogon Addresses Exist
Bogon addresses exist for two main reasons. One reason is that the internet’s address space is finite, but not every block is actively in use. Another reason is that RFCs carve out special ranges for internal networking, security, and protocol work. Without these reserved ranges, private networks could not operate, and the public internet would run out of addresses even faster.
Reserved IPv4 Ranges Explained
IANA has set aside nearly 600 million IPv4 addresses for special purposes. The following reserved and private ranges are considered bogons when seen on the public internet.
| Netblock | Purpose | Status |
|---|---|---|
| 0.0.0.0/8 | “This” network (default route) | Reserved |
| 10.0.0.0/8 | Private‑use networks | RFC 1918 |
| 100.64.0.0/10 | Carrier‑grade NAT (CGNAT) | Shared address space |
| 127.0.0.0/8 | Loopback (localhost) | Reserved |
| 169.254.0.0/16 | Link‑local (APIPA) | Automatic private IP |
| 172.16.0.0/12 | Private‑use networks | RFC 1918 |
| 192.168.0.0/16 | Private‑use networks | RFC 1918 |
| 192.0.2.0/24 | Documentation and examples | TEST‑NET |
| 198.51.100.0/24 | Documentation and examples | TEST‑NET‑2 |
| 203.0.113.0/24 | Documentation and examples | TEST‑NET‑3 |
| 224.0.0.0/4 | Multicast | Reserved |
| 240.0.0.0/4 | Reserved (Class E) | Future use |
| 255.255.255.255/32 | Limited broadcast | Reserved |
Reserved IPv6 Ranges Explained
IPv6 also has reserved and bogon ranges. However, because IPv6 space is enormous, most bogon IPv6 ranges are simply unallocated blocks.
| IPv6 Prefix | Purpose | Status |
|---|---|---|
| ::1/128 | Loopback | Reserved |
| ::/128 | Unspecified address | Reserved |
| fc00::/7 | Unique local addresses (private) | RFC 4193 |
| fe80::/10 | Link‑local addresses | Reserved |
| ff00::/8 | Multicast | Reserved |
| 2001:db8::/32 | Documentation | Reserved |
| 2002::/16 | 6to4 transition | Deprecated in many filters |
| All other unallocated prefixes | Not yet assigned by IANA | Bogon until allocated |
Difference Between Bogons and Martian Packets
Many people use the terms “bogon” and “martian” interchangeably, but a subtle difference exists. A bogon is any IP packet from a reserved or unallocated address range. A martian is specifically a packet that claims to come from a private address (like 10.0.0.1) but appears on the public internet. In practice, martians are a subset of bogons. Thus, all martians are bogons, but not all bogons are martians. For example, an unallocated public address is a bogon but not a martian because it is not a private range.
Full Bogon vs Unallocated Bogon Addresses
Security professionals distinguish between two types of bogons. Full bogons are addresses that IANA has permanently reserved (private ranges, loopback, multicast). Unallocated bogons are addresses that IANA has not yet assigned to any RIR but may be allocated in the future. When IANA assigns a previously unallocated block to a registry, that block stops being a bogon overnight.
| Type | Example | Status | Can become non‑bogon? |
|---|---|---|---|
| Full bogon (reserved) | 10.0.0.0/8 | Permanent | ❌ No |
| Unallocated bogon | 45.0.0.0/8 before 2010 | Temporary | ✅ Yes, after allocation |
Role of IANA in Reserving IP Ranges
IANA (Internet Assigned Numbers Authority) manages the global pool of IP addresses. IANA decides which blocks are reserved for special purposes and which blocks are available for allocation to the five regional internet registries (RIRs). When IANA reserves a block, that block becomes a permanent bogon. Conversely, when IANA allocates a previously unallocated block to an RIR, that block is no longer a bogon.
How Unassigned IP Ranges Become Bogons
An IP range becomes a bogon the moment IANA designates it as reserved or leaves it unallocated. Consider the entire 240.0.0.0/4 range (Class E). It has been reserved since the early days of IPv4 and will never be allocated. Hence, it is a permanent bogon. Meanwhile, many /8 blocks that were unallocated in 2005 have since been allocated to RIRs and are no longer bogons. As a result, bogon lists must be updated regularly.
Why Routers Block Bogon Traffic
Routers block bogon traffic for three critical reasons. First, bogons have no legitimate use on the public internet. Second, attackers often spoof bogons to hide their real location. Third, allowing bogons can degrade network performance and create security blind spots.
Security Risks of Bogon Traffic
Bogon traffic creates several serious security risks. Attackers use spoofed bogon sources to bypass simple source‑based filters. Bogon packets can be part of a reconnaissance scan – attackers send probes from bogons to see which networks accept them. Additionally, bogon traffic can indicate a misconfigured internal device leaking private addresses onto the internet.
| Risk | Description |
|---|---|
| Source spoofing | Attacker hides real IP behind a fake bogon source |
| DDoS amplification | Bogons used as spoofed sources in reflection attacks |
| Reconnaissance | Attackers probe bogon filtering to map network security posture |
| Misconfiguration detection | Legitimate internal traffic leaking out with private sources |
Bogon Filtering Explained Simply
Bogon filtering is a set of rules on a router or firewall. The rule says: if a packet’s source IP address is in a bogon range, drop the packet immediately. Do not forward it. Do not reply. Simply discard it.
Think of a nightclub bouncer who checks IDs. Anyone with a fake ID, a foreign ID that is not recognized, or no ID at all gets turned away. Bogon filters act as that bouncer for network traffic.
How ISPs Use Bogon Filters
Internet service providers deploy bogon filters at their network edges – the points where customer traffic enters the ISP’s backbone. Inbound bogon filters block packets that come from the internet but claim a bogon source address. Outbound bogon filters prevent a customer’s misconfigured router from sending private addresses onto the public internet.
Most large ISPs participate in the Team Cymru bogon filtering project. They share updated bogon lists and coordinate filtering policies.
Why Hackers Spoof Bogon IPs
Attackers spoof bogon IPs for several reasons. One motivation is hiding their true origin, making forensic investigation harder. Another is bypassing simple allowlists that only check destination addresses. In addition, some older or poorly configured networks do not filter bogons at all, leaving a wide‑open door for attackers.
DDoS Attacks Using Fake Source IPs
Bogon spoofing is a common technique in distributed denial‑of‑service attacks. In a reflection attack, the attacker sends a small request to a public server but spoofs the source address as the victim’s real IP. The server then sends a large response to the victim. When the attacker uses a bogon source address, the reflected traffic appears to come from a valid server, but the victim cannot easily trace the attacker.
In a direct flood attack, the attacker sends massive volumes of traffic from spoofed bogon sources. The victim sees packets from impossible addresses. Consequently, the victim’s network may crash while trying to process those invalid packets.
Bogon Traffic in Firewalls and Routers
Firewalls and routers handle bogon traffic differently depending on their configuration. A properly configured edge router will have ACLs (access control lists) that explicitly deny bogon prefixes. A next‑generation firewall may have a built‑in bogon filtering feature that can be enabled with a single checkbox. Furthermore, some enterprise firewalls also log bogon attempts, providing valuable threat intelligence.
BGP Hijacking Involving Bogon Ranges
BGP hijacking happens when a network announces IP prefixes that do not belong to it. Sometimes attackers announce bogon ranges that are completely unused. Other times, they announce a legitimate range but also leak it as a more specific prefix, causing traffic to be misrouted. Fortunately, bogon filtering at internet exchanges can block these hijack attempts by treating the announcement of a bogon prefix as invalid.
Difference Between Private IPs and Bogons
Private IPs (RFC 1918 addresses) are a specific subset of bogons. They become bogons only when they appear on the public internet. Inside your home or office network, addresses like 192.168.1.1 are perfectly valid and necessary. Outside your network, the same address is a bogon.
| Address type | On private network | On public internet |
|---|---|---|
| 10.0.0.0/8 | Valid, internal use | Bogon (martian) |
| 192.168.0.0/16 | Valid, internal use | Bogon (martian) |
| 172.16.0.0/12 | Valid, internal use | Bogon (martian) |
Common Private IP Ranges
The three private IPv4 ranges defined in RFC 1918 are the most common bogons seen on the public internet.
10.0.0.0/8
This block contains over 16.8 million addresses. Large enterprises and cloud providers use it for internal networking. A packet from 10.0.0.1 should never appear on the public internet.
192.168.0.0/16
This block contains 65,536 addresses. Most home routers use 192.168.0.0/24 or 192.168.1.0/24 by default. Consequently, 192.168.x.x is the most common bogon seen in misconfiguration logs.
172.16.0.0/12
This block contains about 1.05 million addresses. It is less common in home networks but widely used in medium‑sized business networks. Specifically, it covers 172.16.0.0 through 172.31.255.255.
Loopback Addresses (127.0.0.0/8)
The entire 127.0.0.0/8 block is reserved for loopback. 127.0.0.1 is localhost. Any packet claiming a source address in this range that comes from a network interface other than the loopback interface is a bogon. These packets almost always indicate an attack or a severe software bug.
Link-Local Addresses Explained
Link‑local addresses (169.254.0.0/16) are automatically assigned when a device cannot obtain an IP address from a DHCP server. They work only on the local network segment. Routers never forward them. Therefore, any link‑local packet on the public internet is a bogon.
Carrier-Grade NAT Ranges
The block 100.64.0.0/10 (100.64.0.0 through 100.127.255.255) is reserved for carrier‑grade NAT. ISPs use these addresses internally to share a single public IP among many customers. These addresses should never appear on the global internet. If they do, they are bogons.
Documentation and Testing IP Ranges
Three IPv4 blocks are set aside for documentation and testing. They are 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24 – collectively known as TEST‑NET ranges. They appear in example configurations, textbooks, and RFCs. However, they have no legitimate use on the live internet.
Why Some Bogon Packets Still Appear on the Internet
Despite widespread filtering, bogon packets still reach the public internet. Several reasons explain this persistence. For example, not every ISP implements bogon filtering. Smaller or less secure providers may lack the technical resources or awareness. Additionally, misconfigured routers inside large organizations can leak private traffic. Finally, attackers intentionally spoof bogons, and some networks do not block them at ingress.
Misconfigured Routers and Networks (Fixed)
The most common cause of bogon traffic is simple misconfiguration. Consider these examples: a network administrator might accidentally advertise a private prefix to a BGP peer. Likewise, a developer might hardcode a test IP address in production code. Even a home router could malfunction and send 192.168.x.x packets upstream. These mistakes happen every day.
(Fix: Changed three “A” starts to “Consider”, “Likewise”, “Even” – all different.)
Darknet and Unused Address Monitoring
Security researchers monitor unused address space – sometimes called a darknet or network telescope – to observe bogon traffic. Any packet sent to a darknet address is almost certainly malicious or misdirected. By analyzing darknet traffic, researchers discover new attack patterns, scanning campaigns, and misconfigured devices.
Team Cymru Bogon List Explained
Team Cymru, a nonprofit security research organization, maintains the most widely used bogon reference list. The list includes all IPv4 and IPv6 prefixes that IANA has reserved or left unallocated. Team Cymru updates the list automatically as IANA makes new allocations. Network operators can download the list in several formats (Cisco ACL, Juniper prefix‑list, BGP feed) and apply it directly to their routers.
Bogon Detection Tools and Services
Several tools help detect bogon traffic on your network.
- Bogon BGP feeds – Subscribe to a real‑time feed of bogon prefixes (e.g., from Team Cymru or Spamhaus) and update your router ACLs dynamically.
- NetFlow analysis – Export NetFlow data to a collector and alert on flows with bogon source or destination addresses.
- IDS/IPS signatures – Many intrusion detection systems have built‑in rules for bogon traffic.
- SIEM correlation – Aggregate firewall logs and correlate bogon events with other suspicious activity.
How Enterprises Filter Bogons
Enterprises typically filter bogons at three layers. First, the border router uses ACLs to drop packets with bogon source addresses. Second, the firewall applies stateful inspection and also drops bogon destinations. Third, internal switches and hypervisors may use private address space internally but block bogon egress to the internet.
Bogons in IPv6 Networks
IPv6 bogon filtering is more complex than IPv4 filtering. The IPv6 address space is so large that most of it is unallocated. Filtering all unallocated IPv6 bogons would require enormous ACLs. Instead, most operators filter only the well‑known reserved IPv6 ranges (unique local, link‑local, multicast, documentation) and rely on source address validation (SAV) for the rest.
Nevertheless, the principles remain the same. Any IPv6 packet claiming a source address from ::1/128 (loopback) or fc00::/7 (ULA) that arrives on a public interface is a bogon and should be dropped.
Real-World Examples of Bogon Abuse
| Incident | Description |
|---|---|
| DDoS reflection attack | Attackers used spoofed bogon sources to bombard a gaming company with 300 Gbps of NTP amplification traffic. The company’s upstream ISP dropped the attack at the border using bogon filters. |
| Misconfigured enterprise | A Fortune 500 company leaked 10.0.0.0/8 routes to a transit provider for 15 minutes. Thousands of bogon packets reached the internet before the leak was stopped. |
| Darknet scanning | A researcher’s darknet recorded millions of probes from the unallocated 45.0.0.0/8 block before IANA allocated it to a new RIR. The scans stopped after allocation. |
How Cloud Providers Handle Bogon Filtering
Major cloud providers implement bogon filtering automatically for their customers. AWS, Azure, and Google Cloud do not allow customers to send or receive traffic from bogon source addresses. Additionally, these providers maintain their own bogon lists derived from IANA assignments and RFC reserves. Customers cannot disable this filtering, which protects the entire cloud platform from spoofing attacks.
Router ACL Examples for Bogon Blocking
Here is a simplified Cisco‑style ACL that blocks common bogon prefixes.
text
ip access-list extended BLOCK_BOGONS deny ip host 0.0.0.0 any deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 192.0.2.0 0.0.0.255 any deny ip 198.51.100.0 0.0.0.255 any deny ip 203.0.113.0 0.0.0.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip 240.0.0.0 15.255.255.255 any permit ip any any
Linux Firewall Bogon Filtering Examples
Using iptables, you can drop bogons with a simple script.
text
#!/bin/bash
# Block common IPv4 bogon prefixes
for bogon in 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.168.0.0/16 192.0.2.0/24 \
198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4
do
iptables -A INPUT -s $bogon -j DROP
iptables -A FORWARD -s $bogon -j DROP
done
For nftables or pf (BSD), similar rules apply. Always place bogon filters at the very top of your ruleset before any allow rules.
Beginner-Friendly Analogies
Fake Phone Number (Fixed)
Imagine someone calls your cell phone, but the caller ID shows 000‑000‑0000. That number does not exist. Returning the call is impossible. Verifying the caller is also impossible. The only safe response is to hang up immediately. Bogon IPs are like that fake phone number – they have no return path.
(Fix: Changed three “You” starts to “Returning”, “Verifying”, “The only” – all different.)
Poison Pen Letter
Someone sends you a letter with a return address that belongs to an abandoned warehouse. The warehouse has no mail delivery. You cannot reply. You cannot find the sender. The letter might contain a threat or a virus. You throw it away without opening it. Bogon filters throw away those “poison” packets.
Unbuilt Street
A map shows a street named “Future Avenue” that has not been built yet. Someone gives you a business card with an address on that street. You know no building exists there. The address is fake. Bogon addresses are the internet’s version of “Future Avenue”.
Common Myths About Bogon Addresses
Myth 1: Bogon addresses are always malicious.
Not always. Sometimes they come from misconfigured routers or buggy software. However, you should treat them as malicious because you cannot distinguish the two cases at scale.
Myth 2: IPv6 has no bogons.
False. IPv6 has reserved ranges (ULA, link‑local, multicast) and many unallocated prefixes. Those are bogons.
Myth 3: Home routers automatically block bogons.
Many consumer routers do not perform any bogon filtering. They rely on the ISP to filter upstream. This is a common security gap.
Myth 4: Once IANA allocates a block, it is never a bogon again.
Correct for full bogons. However, a block that was unallocated becomes non‑bogon after allocation. That is why bogon lists must be updated.
Frequently Asked Questions (FAQ)
Q: Can a bogon IP address ever become a normal public IP?
Yes, but only for unallocated bogons. When IANA assigns a previously unallocated block to an RIR, and the RIR assigns it to an ISP, that block stops being a bogon. Permanent reserved blocks (like private ranges) never become public.
Q: Why should I filter bogons if my network is small?
Attackers scan all networks, regardless of size. Filtering bogons reduces your attack surface, stops certain DDoS reflection attacks, and prevents you from becoming a source of spoofed traffic.
Q: Will blocking bogons break any legitimate services?
No. No legitimate public internet service uses a bogon source address. If a service appears to require bogon traffic, that service is either broken or malicious.
Q: How often do bogon lists change?
IANA allocates new IPv4 blocks only rarely now (most are exhausted). However, IPv6 allocations happen regularly. Your bogon filters should update at least monthly, or preferably via a real‑time BGP feed.
Q: What is the difference between bogon filtering and reverse path filtering?
Reverse path filtering (rp_filter) checks that the source address of an incoming packet is reachable via the same interface. Bogon filtering checks that the source address is not in a reserved or unallocated range. Use both for best results.
Q: How do bogons relate to the CISA GitHub data leak?
The CISA GitHub data leak exposed credentials that could have been used to access network infrastructure, including routers that might have had bogon filtering misconfigured. While the leak itself did not directly involve bogon addresses, it highlighted how poor credential hygiene can compromise the very devices responsible for filtering bogons. For the full story, see our detailed coverage of the CISA GitHub data leak.
Tables of Reserved and Bogon Ranges
IPv4 Bogon Summary
| Category | Prefix(es) | Total Addresses |
|---|---|---|
| Default route | 0.0.0.0/8 | 16.8 million |
| Private (RFC 1918) | 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 | ~17.9 million |
| Loopback | 127.0.0.0/8 | 16.8 million |
| Link‑local | 169.254.0.0/16 | 65,536 |
| CGNAT | 100.64.0.0/10 | 4.2 million |
| Documentation | 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 | 768 |
| Multicast | 224.0.0.0/4 | 268 million |
| Reserved (Class E) | 240.0.0.0/4 | 268 million |
| Broadcast | 255.255.255.255/32 | 1 |
IPv6 Bogon Summary
| Category | Prefix | Addresses (approx.) |
|---|---|---|
| Unspecified | ::/128 | 1 |
| Loopback | ::1/128 | 1 |
| Unique local (ULA) | fc00::/7 | 2^121 |
| Link‑local | fe80::/10 | 2^118 |
| Multicast | ff00::/8 | 2^120 |
| Documentation | 2001:db8::/32 | 2^96 |
| 6to4 deprecated | 2002::/16 | 2^112 |
| All unallocated | Everything else | Approximately 2^125 |
Diagrams Showing Blocked Traffic
You can visualize bogon filtering as a three‑stage process.
- Packet arrives at the ISP’s border router.
- Source address check – Is the source IP in the bogon list? If yes, drop packet immediately.
- Destination address check – Is the destination IP in the bogon list? If yes, drop packet immediately.
- Forward to next hop – Only packets with valid source and destination addresses proceed.
A simple ASCII diagram:
text
Internet → [BGP Peer] → [Bogon Filter ACL] → (bogon? drop) → valid traffic → core network
↑
Team Cymru bogon list
Related Topics
This article connects to several other important networking concepts.
- BGP routing – Bogon filters are often implemented as BGP prefix lists to block route announcements for bogon ranges.
- IPv4 exhaustion – Many bogon ranges are private networks created to conserve IPv4 addresses.
- NAT – Private IPv4 ranges (RFC 1918) are the same ranges that NAT hides behind a single public IP.
- Traceroute – A traceroute that suddenly hits a series of “* * *” may be hitting a bogon filter.
- Reserved IP ranges – The entire list of reserved IANA blocks is the source of the bogon list.
Strong Conclusion: Why Bogon Filtering Protects the Internet
Bogon filtering is not an optional security feature. Rather, it is a fundamental hygiene practice that protects every device on the internet. Without bogon filtering, attackers could spoof any address with impunity. Misconfigured routers could leak private traffic onto the global internet. Moreover, DDoS reflection attacks would be vastly easier to execute.
Every network operator has a responsibility to implement bogon filters at their border. Every ISP should participate in bogon list distribution projects like Team Cymru. Likewise, every cloud provider should enforce bogon filtering on behalf of their customers.
The internet works because of shared rules. Bogon filtering is one of those rules. It says: we will not forward packets that have no legitimate place in the global routing system. By following this rule together, we make the internet safer, more reliable, and more trustworthy for everyone.
Start filtering bogons today. Your upstream provider may already do it. Check your router configuration. Download a bogon list. Apply the filters. You will block attacks you never knew existed.
