ACLs / Filter Lists - Best Practices

Rob Thomas robt at
Fri Nov 30 16:46:22 UTC 2001

Hi, all.

Just a couple of comments in response to:

] - <rant>RFC 1918 filtering is no silver bullet.  Yes, it should be done, but
] all a malicious person needs in order to be able to launch an effective DDoS
] attack is to source from unassigned address space or address space that is
] known to be unused.</rant>

I filter all RFC 1918 and unused/bogon space at my borders (in both
prefix-lists and ACLs).  This cuts down on a large percentage of the
garbage.  Of course I filter outbound as well, to protect the Internet
from my data centers.  :)  You can see the filtering I use in the Secure
IOS Template and Secure BGP Templates here:

With one routinely attacked site, 68% of the incoming traffic uses bogon
source addresses (e.g.,,, etc.)  So this
filtering really does help.  However, having said that, please keep in
mind that most of the bots I disassemble and botnets I monitor don't bother
to spoof at all.  Many don't include the capability to generate spoofed or
malformed packets.  Why?  Because the number of bots used in the attack is
already overwhelming.  It is almost impossible to block them all with
conventional filtering, so there is no need to spoof.  Further, tracking
them is quite difficult as well.  Try explaining to a home user that his or
her machine has been used in a DDoS attack.  The response I received by one
home PC owner was:  "Cool!"  :P

FYI, the miscreants continue to hack vulnerable Cisco routers.  I watched
as one crew gathered 800 ciscos (underground parlance) a few days ago.
Please ensure that you have access control and good passwords on your
routers.  Advise your customers to do the same.

Hmm, when will I ever be able to keep my posts to "just a couple of
comments?"  :)

Rob Thomas
ASSERT(coffee != empty);

More information about the NANOG mailing list