My IP Help

Bogon IP

Also known as: Bogon, Martian address

An IP address that should not be appearing on the public internet — either from a reserved range, an unallocated block, or a private range — and which routers should drop.

Last updated:

What is a bogon?

A bogon is an IP address that has no legitimate reason to appear as the source of public internet traffic. Seeing a bogon source address in your logs almost always means one of three things: a misconfigured network, a source-address spoofing attempt (usually preparing a DDoS amplification attack), or a hobbyist probe.

Bogons come from several categories:

  • Private ranges that leaked into the public internet: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  • Loopback: 127.0.0.0/8
  • Link-local: 169.254.0.0/16
  • Benchmark / TEST-NET: 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 (the ones you see in documentation)
  • Multicast: 224.0.0.0/4
  • Unallocated space — ranges that no RIR has assigned to any ISP or organization

Why bogon lists are useful

Network operators publish bogon lists so firewall and BGP filters can drop traffic from these ranges at the edge. The two main sources are:

  • Team Cymru's Bogon Reference — one of the canonical lists, with BGP, DNS, and HTTP-based distribution methods so routers can fetch current data automatically
  • IANA's Special Purpose Address Registry — the authoritative list of reserved blocks

Bogon filters catch a surprising amount of junk:

  • Spoofed attack traffic from amplification DDoS campaigns
  • Misconfigured devices that leaked their internal addresses
  • Early-warning signals of BGP hijacks or routing leaks

Fullbogons vs. bogons

There are two flavors:

  • Bogons — only the reserved ranges (stable set defined by IANA)
  • Fullbogons — reserved ranges plus any address space not yet allocated to an RIR. The fullbogon list changes as IANA assigns new /8s (IPv4) or /12s (IPv6), and any source address from such unallocated space is definitionally illegitimate

Our IP lookup flags bogon results so you can immediately spot spoofed source addresses in logs.

Frequently Asked Questions

A bogon source IP in your inbound traffic almost always means one of three things: a misconfigured device leaking its private address, a spoofed packet preparing or executing a DDoS amplification attack, or an early signal of a BGP hijack. None of these have legitimate inbound use cases, so blocking bogons at the edge cuts noise without breaking anything real. Operators that don't filter bogons regularly see their infrastructure participate unwittingly in reflection attacks.
A bogon is a reserved or unallocated address that should never appear on the public internet — the IANA-defined ranges like RFC 1918, loopback, link-local, multicast, and TEST-NET. A fullbogon adds every address space that no Regional Internet Registry has yet allocated to any ISP. The bogon list is stable; the fullbogon list changes whenever IANA assigns a new /8 (IPv4) or /12 (IPv6), so fullbogon filters need automatic updates from sources like Team Cymru.
Yes — at the network edge, both inbound and outbound. Inbound, a packet with a bogon source address has no legitimate sender and is almost certainly spoofed. Outbound, a packet to a bogon destination is almost certainly a misconfiguration leaking internal addresses. Most enterprise firewalls have built-in bogon ACLs; for BGP routers, automated bogon-update services keep the filter current. The standard exception is when you intentionally use private addresses inside the network — those should be filtered only at the boundary, not internally.
The base bogon list (IANA reserved ranges) changes very rarely — typically once or twice per decade as new reserved blocks are defined or old ones are released. The fullbogon list changes every few months as IANA allocates new IPv4 /8s (less often now that IPv4 is exhausted) or new IPv6 /12s. Team Cymru publishes both lists via BGP, DNS, and HTTP feeds that update automatically, so routers stay current without manual intervention.
"Martian address" is an older term for the same concept as bogon — an IP address that should not appear on a particular network. The Linux kernel still logs "martian source" warnings when it receives packets with bogon source addresses on interfaces where they don't belong. The two terms are largely interchangeable in modern usage, though "bogon" is preferred in operational contexts and "martian" persists in OS kernel messages and older documentation.
Back to glossary