Martian list of IP's to block???
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Fri Oct 1 15:49:23 UTC 1999
> I used the ones Cisco outlined in their document IOS Essentials every ISP
> Should Know. Here is a copy of the list I use for out clients:
>
> deny ip host 0.0.0.0 any log
> deny ip 127.0.0.0 0.255.255.255 any log
> deny ip 10.0.0.0 0.255.255.255 any log
> deny ip 172.16.0.0 0.15.255.255 any log
> deny ip 192.168.0.0 0.0.255.255 any log
> deny ip xxx.xxx.xxx.0 0.0.0.255 any log
> deny ip 224.0.0.0 31.255.255.255 any log
>
> We are denyingy anyone that claims that their IP address is 0.0.0.0,
> Loopback addresses, all of the RFC 1918 addresses, address coming into us
> claiming they belong to our subnet, and multicast addresses. It seems to
> work for us. I also turn of ip directed broadcasts to minimize smurf/DoS
> attacks. If you would like a copy of the document I used, let me know and
> I'll e-mail a copy to you.
Its also useful to block
192.0.2.0/24 - the test network. so designated for documentation use
169.254.0.0/16 - the link-local network.
I'm not convinced that blocking native multicast is a good idea.
--bill
More information about the NANOG
mailing list