Drop and bogons list on Cisco router

The Cyberspace a.k.a. the Internet is full of bad guys wanting to mess with our computers right?

Of course everyone of us have a firewall configured with proper access and inspection rules, don’t ya?

Spamhaus and Team Cymru can help providing list of known bad IPs and subnets that should be filtered in our networks.

Spamhaus DROP list

“DROP (Don’t Route Or Peer) and EDROP are advisory “drop all traffic” lists, consisting of netblocks that are “hijacked” or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The DROP and EDROP lists are a tiny subset of the SBL, designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks.”

Spamhaus DROP and EDRP lists can be downloaded from HERE, updated hourly.

Team Cymru Bogon List

“A bogon prefix is a route that should never appear in the Internet routing table” so let’s filter thos.

Team Cymru bogons list can be downloaded HERE, it is updated every four hours.

Apply on Cisco router

DROP list

First this we do is to download the DROP list in plain text from:

wget https://www.spamhaus.org/drop/drop.lasso     
wget https://www.spamhaus.org/drop/edrop.txt

Then we need some script magic to convert to the familiar Cisco sintax.

Create a sed script file called subnet2wildmask.sed:

s/\/0/ 255.255.255.255/
s/\/1/ 127.255.255.255/
s/\/2/ 63.255.255.255/
s/\/3/ 31.255.255.255/
s/\/4/ 15.255.255.255/
s/\/5/ 7.255.255.255/
s/\/6/ 3.255.255.255/
s/\/7/ 1.255.255.255/
s/\/8/ 0.255.255.255/
s/\/9/ 0.127.255.255/
s/\/10/ 0.63.255.255/
s/\/11/ 0.31.255.255/
s/\/12/ 0.15.255.255/
s/\/13/ 0.7.255.255/
s/\/14/ 0.3.255.255/
s/\/15/ 0.1.255.255/
s/\/16/ 0.0.255.255/
s/\/17/ 0.0.127.255/
s/\/18/ 0.0.63.255/
s/\/19/ 0.0.31.255/
s/\/20/ 0.0.15.255/
s/\/21/ 0.0.7.255/
s/\/22/ 0.0.3.255/
s/\/23/ 0.0.1.255/
s/\/24/ 0.0.0.255/
s/\/25/ 0.0.0.127/
s/\/26/ 0.0.0.63/
s/\/27/ 0.0.0.31/
s/\/28/ 0.0.0.15/
s/\/29/ 0.0.0.7/
s/\/30/ 0.0.0.3/
s/\/31/ 0.0.0.1/
s/\/32/ 0.0.0.0/

Then create the router commands running these scripts:

echo "ip access-list extended DROP.OUT" > DROP.OUT
cat drop.lasso | grep -v "^;" | awk 'BEGIN {FS=" ; "} ; { print $1}' | sed -f subnet2wildmask.sed | awk '{ print "permit ip any "$1" "$2}' >> DROP.OUT

echo "ip access-list extended DROP.IN" > DROP.IN
cat drop.lasso | grep -v "^;" | awk 'BEGIN {FS=" ; "} ; { print $1}' | sed -f subnet2wildmask.sed | awk '{ print "permit ip "$1" "$2" any"}' >> DROP.IN

echo "ip access-list extended EDROP.OUT" > EDROP.OUT
cat edrop.txt | grep -v "^;" | awk 'BEGIN {FS=" ; "} ; { print $1}' | sed -f subnet2wildmask.sed | awk '{ print "permit ip any "$1" "$2}' >> EDROP.OUT

echo "ip access-list extended EDROP.IN" > EDROP.IN
cat edrop.txt | grep -v "^;" | awk 'BEGIN {FS=" ; "} ; { print $1}' | sed -f subnet2wildmask.sed | awk '{ print "permit ip "$1" "$2" any"}' >> EDROP.IN

BOGON list

Get the list:

wget http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt

Convert subnet mask to wildcard mask and create Cisco commands:

echo "ip access-list extended BOGONS.IN" > BOGONS.IN
cat fullbogons-ipv4.txt | grep -v "^#" | sed -f subnet2wildmask.sed | awk '{ print "permit ip "$1" "$2" any"}' >> BOGONS.IN

Note: bogons filters should be only appliend inbound (from public to private network).

Apply lists on Cisco’s Zone Based Firewall

We have 6 files now with all the commands necessary to create the access lists on the router:

  • DROP.IN

  • DROP.OUT

  • EDROP.IN

  • EDROP.OUT

  • BOGONS.IN

Just copy&paste the commands on CLI.

You may have noticed that the commands are all permits. The reason is I use Zone Based Firewall on my router with a policy like this:

policy-map type inspect LAN2WAN 
    class type inspect DROP.OUT
        drop 
    class type inspect EDROP.OUT
        drop
    class type inspect LAN
        inspect 
    class class-default
        drop

policy-map type inspect WAN2LAN
    class type inspect BOGONS.IN
        drop 
    class type inspect DROP.IN
        drop 
    class type inspect EDROP.IN
        drop
    class type inspect WAN2LAN
        pass
    class class-default
        drop

I’ll not dig in the details of ZBFW configuration, if you’re interested grab a copy of this excellent book written by Ivan and you’ll be good.

What’s next

Since DROP and bogons lists change over time I’ll see how they work and maybe implement some sort of update automation with Python/Netmiko.

Wrap up

DROP and bogons lists should be applied on Tier 1 routers. We’re not supposed to see traffic matching those access-lists, this is more a test and a “better safe than sorry” configuration not something I expect to see on the NIST Guidelines on Firewalls and Firewall Policy so please think about it before applying on production routers.

FINAL NOTES: the access lists may be too long, check your device’s data sheet to be sure it can support them or enable the compression of config:

ROUTER(config)#service compress-config
 
comments powered by Disqus