Team Cymru is a security and analytics company that provides several valuable services to the IT industry. They also provide a free BGP peering service called the BOGON Route Server Project to receive an up to date list of BOGONs/ Martians so that they can be filtered out of your network. This service has minimal resource requirements and any MikroTik router from the RB3011 and up can easily handle peering for this purpose although you may need a more powerful router depending on your own network requirements. CCRs and CHRs are very inexpensive and they would be a good choice for this. In truth, some of the smaller ones could do it too depending on how you were using them. If you have never used BGP before, you’ll be surprised by how easy it is to set this up!
A BOGON, sometimes referred to as a Martian packet, is a bogus IP address. This includes the “BOGON Short List” which is all of the RFCs that carve address space out of the total possible IP addresses there are and reserve them for some special purpose. The most well known of these is the RFC 1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). There is also a “BOGON Long List” that includes the short list and any unallocated addresses. The IPv4 “Long List” is not very long anymore, but the IPv6 address list is. You’ll want one of the more powerful routers for the IPv6 routes if you choose to take them. The reason this service is so valuable is that malicious packets are often sourced from a bogus address and being able to filter them out protects your network from those sorts of attacks. Like any other security service, this is just one layer of the onion.
What you will need to start:
All you need is a router with a public IP address. Team Cymru uses “multi-hop” so you will not need a direct connection or a tunnel. They are are also using private ASNs, so you do not need a public ASN. Just make one up and if no one is using it, your set. More on that latter.
A few notes about this tutorial:
This tutorial shows how to Peer with Team Cymru from your Gateway router(s) with either one or two ISPs providing Internet access to your network. In this example a BGP connection between these two routers is not shown because its not needed to get the desired results…null routing BOGONs. This is also not intended to be a course in BGP, but rather a tutorial demonstrating the steps needed to accomplish this specific goal for someone who is new to MikroTik BGP. If your network is already running BGP, there will be other factors to consider and you will need to sanity check things as to how it applies to your network.
The steps shown are how you would set this up on a Gateway router (the ingress/ egress point of your network), but does not include a decision process if you are using multiple Gateways. The reason being, is that their are too many factors to consider to create a single tutorial that would apply to all networks.
Step 1: Go to their website and fill out the contact form. It will take one to three days for them to email you back and let you know that is already set up. Their side will already be built when you get the confirmation email and setting up your side will only take a couple of minutes.
Step 2: In your MikroTik router, configure your ASN under Routing -> BGP and choosing the Instances Tab. The ASN has to be either a 16bit number or a 32bit number (ie. 65535 or 4294967294). The private range of ASNs is 64512-65535 for 16bit and 4200000000 – 4294967294 for 32bit.
Step 3: Configure your peer settings on the Peers tab.
At this point you will want to make sure everything is working correctly by checking to see if the peer entry shows “Established”. If it says “Established” then you will start receiving routes. If its doesn’t peer, then double check the email you recieved against the settings in Steps 2 & 3. Make sure that you can ping the far side. Double check your firewall if you have one.
Step 4: Safety step! – Configure your In and Out Filters to prevent unwanted routes from accidentally being sent through the connection. This will be found in Routing -> Filters.
This filter prevents you from accidentally sending routes to them.
These next two filters prevents them from accidentally sending you routes that are not a part of the correct community.
Accept from Team Cymru as long as it is part of the correct community.
Discard everything else from Team Cymru.
Step 5: Verify that you are receiving routes and view the BGP community string. This is done in IP -> Routes.
BGP community numbers are values that get sent along with the route and potentially propagate all the way through a BGP connected network. This allows easy identification and policies to handle those routes. Its usually two 16bit numbers separated by a colon. The idea is that the first number would be the ASN and the second would identify the community string. Team Cymru also adds them to the “no export” community by default which prevents them from accidentally being propagated to other routers.
Step 6: Create a filter rule to black hole all traffic that is in that community.
This is what you finished rule set will look like.
Step 7: Check your routes to make sure they now have the flags DAbB (Dynamic, Active, BGP, blackhole).
If you have two or more Gateway routers, repeat these steps on each one.