How to apply full bogon “Martians networks” list to MikroTik
Hello folks, just wanna share my knowledge about how to add bogon or full bogon lists to RouterOS/Mikrotik to improve your network security, prevent DOS, etc.
So before we start to add it we must know what is it these bogon/full bogons networks.
Bogon filtering is the practice of filtering bogons, which are bogus (fake) IP addresses of a computer network. Bogons include IP packets on the public Internet that contain addresses that are not in any range allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional Internet registry (RIR) and allowed for public Internet use. The areas of unallocated address space are called the bogon space.
ref.https://en.wikipedia.org/wiki/Bogon_filtering
and
ref.https://en.wikipedia.org/wiki/Martian_packetFullbogons The Bogons list above reflects unallocated, reserved, and special designated IPv4 address ranges only. When address space is allocated by IANA to the RIRs, it is often subdivided before being assigned to specific networks. Our traditional bogons do not include the ranges that are unassigned by the RIRs. More importantly, our traditional bogons project predates wide adoption of IPv6 and does not include IPv6 addresses.
ref. https://team-cymru.com/community-services/bogon-reference/
Why you must use bogon lists?
Bogon’s packets are useful to cybercriminals because the packets cannot be attributed to an actual host (since the source IP is bogus). Routers don’t examine the source IP address of a packet, all they care about is the destination IP address, so routers will happily forward bogon packets to their destination. Bogon’s can be used to launch TCP SYN attacks and are used in about 10% of DDoS attacks on the internet.
So full bogons are more efficient to protect your network/ISP network. This article is better for use Internet Service Providers because my recommendation is for home/office network is to use white rules, where you can create some rules of accept traffic, above drop rules, where you drop all not related to white rules in the firewall.
But where you can get these dynamically updated full bogon lists?
Team-Cymru can assist with it, just follow this link
https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
for ipv6
https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
As far as you can see we have a huge of IP addresses.
!Please pay attention Updated every four hours. but the recommendation for download it is once per day.
We have a source of full bogons IPs, next one will be how to add it to MikroTik.
add name and insert script
# Automatically add BOGONs to your firewall’s address lists.
# Only works with 6.43 and up.
#
# Please do not fetch more often than the listed update interval, for the
# lists that are updated only as IANA allocations change, please do not fetch
# more than once per day.
#
# by Phillip Stromberg
# 2018–11–07
# uses team-cymru.org BOGON lists{
:global content;
:local url;
:local addressListName;
:set addressListName “AUTOBOGON”
####### UNCOMMENT THE URL YOU NEED:#######
### This is the list of bit notation bogons, aggregated, in text format.
### Updated as IANA allocations and special prefix reservations are made.
# :set url “https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt"
### The traditional bogon prefixes, plus prefixes that have been allocated to RIRs
### but not yet assigned by those RIRs to ISPs, end-users, etc.
### Updated every four hours.
:set url “https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"
###########################################################################
:local result [/tool fetch url=$url as-value output=user];
:if ($result->”status” = “finished”) do={
:set content ($result->”data”);
}:global contentLen [ :len $content ];
:global lineEnd 0;
:global line “”;
:global lastEnd -1;
/ip firewall address-list remove [find list=$addressListName];
:do {
:set lineEnd [:find $content “\n” $lastEnd ];
:set line [:pick $content $lastEnd $lineEnd];
:set lastEnd ( $lineEnd + 1 );
:if ( [:pick $line 0] = “#” ) do={
} else={
# :put $line;
/ip firewall address-list add address=$line list=$addressListName;
}
} while ($lineEnd < $contentLen — 2)
}
thank you Phillip Stromberg for the great luna script :)
The policy must be set: read, write, test.
my forked code is
# Automatically add BOGONs IPv6 to your firewall’s address lists.
# Works with 6.47.7 .
#
# Please do not fetch more often than the listed update interval, for the
# lists that are updated only as IANA allocations change, please do not fetch
# more than once per day.
#
# by Phillip Stromberg fork and modified by Levko Kravchuk# , add IPv6 full bogons
#11/17/2020
# uses team-cymru.org BOGON lists{
:global content;
:local url;
:local addressListName;
:set addressListName “IPv6_AUTOBOGON”########### UNCOMMENT THE URL YOU NEED: ###########
### This is the list of bit notation bogons, aggregated, in text format.
### Updated as IANA allocations and special prefix reservations are made.
### The traditional bogon prefixes, plus prefixes that have been allocated to RIRs
### but not yet assigned by those RIRs to ISPs, end-users, etc.
### Updated every four hours.
:set url “https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt"###########################################################################
:local result [/tool fetch url=$url as-value output=user];
:if ($result->”status” = “finished”) do={
:set content ($result->”data”);
}:global contentLen [ :len $content ];
:global lineEnd 0;
:global line “”;
:global lastEnd -1;
/ipv6 firewall address-list remove [find list=$addressListName];:do {
:set lineEnd [:find $content “\n” $lastEnd ];
:set line [:pick $content $lastEnd $lineEnd];
:set lastEnd ( $lineEnd + 1 );
:if ( [:pick $line 0] = “#” ) do={
} else={
# :put $line;
/ipv6 firewall address-list add address=$line list=$addressListName;
}
} while ($lineEnd < $contentLen — 2)
}
If you need to add a simple bogon list just uncomment this line
# :set url “https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt"
Then add it to the scheduler with the same name as the script and same policy. Try run script and look into the firewall to check if changes were applied, check if rules were set. Please note to set relative block input/forwarding, rules before or after white list rules according to your project/environment.
ENJOY being safe:)
