address spoofing
Randy Bush
randy at psg.com
Thu Apr 22 22:15:10 UTC 1999
first, apologies for bringing up an operational issue.
a long while back, i noticed my border filters were showing incoming
packets from 1918 addresses and my own address blocks. i wrote this off
to anomalies and did not have the time to pursue.
yesterday, i happened to notice it again. i described it on an internal
mailing list. other folk looked at their filters, and lo and behold, it
is a widespread problem.
fyi, my filter looks like the following:
! what we allow to come in the serials from the world
no access-list 105
! PSGnet
access-list 105 deny ip 147.28.0.0 0.0.255.255 any
access-list 105 deny ip 192.83.230.0 0.0.0.255 any
access-list 105 deny ip 198.133.206.0 0.0.0.255 any
! rfc1918
access-list 105 deny ip 127.0.0.1 0.255.255.255 any
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
! block portmapper and nfsd attacks
access-list 105 deny udp any any eq sunrpc
access-list 105 deny tcp any any eq 2049
! block samba
access-list 105 deny tcp any any eq 137
access-list 105 deny tcp any any eq 138
access-list 105 deny tcp any any eq 139
!
! some other stuff
! allow all others
access-list 105 permit ip any any
the results of 30 hours of running are
deny ip 147.28.0.0 0.0.255.255 any (6 matches)
deny ip 192.83.230.0 0.0.0.255 any
deny ip 198.133.206.0 0.0.0.255 any
deny ip 127.0.0.0 0.255.255.255 any (375 matches)
deny ip 10.0.0.0 0.255.255.255 any (593 matches)
deny ip 172.16.0.0 0.15.255.255 any (201 matches)
deny ip 192.168.0.0 0.0.255.255 any (769 matches)
deny udp any any eq sunrpc (9 matches)
deny tcp any any eq 2049 (494 matches)
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 139
permit ip any any (9467763 matches)
when we tried it on routers in different parts of the network, it seemed
to show similar patterns.
anyone have clues other than net slime and misconfigured nats?
randy
More information about the NANOG
mailing list