address spoofing

Jared Mauch jared at puck.Nether.net
Thu Apr 22 22:56:30 UTC 1999


	True.

	I see numerous strays also tho myself.

	I try to drop this as close to the edge as possible
in some cases, but as you can see here:

    deny   ip host 0.0.0.0 any log-input (4322 matches)
    deny   ip 10.0.0.0 0.255.255.255 any log-input (625 matches)
    deny   ip 169.254.0.0 0.0.255.255 any log-input (887 matches)
    deny   ip 192.168.0.0 0.0.255.255 any log-input (11401 matches)

	I get a few matches, it would appear that folks like the 192.168
the most, and the 172.16 the least (I have zero matches on this box).

	Something dumb appears to be sending dhcp/bootp (0.0.0.0)
(I've got a hub at home that keeps doing that, i've not been able to 
console into it yet)

	My recommendation is to ignore it in the core, but start to drop
it once it hits your edges where you tend to have lower speed links
that can take filters.

	u-rpf checks are nice also, it would be nice to see more folks
doing it, but that's life in this world.

	If you could get everyone at the exchange points to filter,
that would be nice, but the fact of the matter is most traffic goes
across the private interconnects, which contiue to grow in size,
and it's not possible or is service degrading to filter such links.

On Thu, Apr 22, 1999 at 03:42:14PM -0700, Gary E. Miller wrote:
> 
> Yo Randy!
> 
> On Thu, 22 Apr 1999, Randy Bush wrote:
> 
> >     deny ip 10.0.0.0 0.255.255.255 any (593 matches)
> >     deny ip 172.16.0.0 0.15.255.255 any (201 matches)
> >     deny ip 192.168.0.0 0.0.255.255 any (769 matches)
> [...]
> > anyone have clues other than net slime and misconfigured nats?

	The net-slime would be the folks that sent a src address at 
you of your network (whcih I saw in your acl match).

> If you did a traceroute thru a router using a private address on
> one of it's interfaces you could see this.  That would be legit.
> 
> RGDS
> GARY
> ---------------------------------------------------------------------------
> Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
> 	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676
> 

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.




More information about the NANOG mailing list