BCP38/84 and DDoS ACLs

Compton, Rich A Rich.Compton at charter.com
Fri May 26 16:01:26 UTC 2017


To block UDP port 19 you can add something like:
deny udp any eq 19 any
deny udp any any eq 19

This will prevent the DDoS attack traffic entering your network (source
port 19) as well as the hosts scanning around looking for hosts on your
network that can be used in amplification attacks (destination port 19).
Please note that this will not block the UDP fragments that come with
these attacks which have no L4 port to block.  You can possibly do
policing on UDP fragments to address this.

I¹d also suggest adding:
deny udp any eq 17 any
deny udp any any eq 17

deny udp any eq 123 any packet-length eq 468

deny udp any eq 520 any
deny udp any any eq 520

deny udp any eq 1900 any
deny udp any any eq 1900

Some people will complain that you shouldn¹t block UDP port 1900 because
it¹s above 1023 but believe me it¹s worth it.



also to block invalid source IPs to prevent some spoofed traffic from
coming into your network:

deny ipv4 0.0.0.0 0.255.255.255 any
deny ipv4 10.0.0.0 0.255.255.255 any
deny ipv4 11.0.0.0 0.255.255.255 any
deny ipv4 22.0.0.0 0.255.255.255 any
deny ipv4 30.0.0.0 0.255.255.255 any
deny ipv4 100.64.0.0 0.63.255.255 any
deny ipv4 127.0.0.0 0.255.255.255 any
deny ipv4 169.254.0.0 0.0.255.255 any
deny ipv4 172.16.0.0 0.15.255.255 any
deny ipv4 192.0.0.0 0.0.0.255 any
deny ipv4 192.0.2.0 0.0.0.255 any
deny ipv4 192.168.0.0 0.0.255.255 any
deny ipv4 198.18.0.0 0.1.255.255 any
deny ipv4 198.51.0.0 0.0.0.255 any
deny ipv4 203.0.113.0 0.0.0.255 any
deny ipv4 224.0.0.0 31.255.255.255 any


For BCP38 and 84 you would want to enable uRPF
https://en.wikipedia.org/wiki/Reverse_path_forwarding
https://tools.ietf.org/html/rfc3704



Rich Compton   |     Principal Eng     |   314.596.2828
14810 Grasslands  Dr,    Englewood,      CO    80112






On 5/26/17, 11:39 AM, "NANOG on behalf of Graham Johnston"
<nanog-bounces at nanog.org on behalf of johnstong at westmancom.com> wrote:

>I really did try looking before I sent the email but couldn't quickly
>find what I was looking for.
>
>I am looking for information regarding standard ACLs that operators may
>be using at the internet edge of their network, on peering and transit
>connections, wherein you are filtering ingress packets such as those
>sourced from UDP port 19 for instance. I've found incomplete conceptual
>discussions about it nothing that seemed concrete or complete.
>
>This doesn't seem quite like it is BCP38 and more like this is BCP84, but
>it only talks about use of ACLs in section 2.1 without providing any
>examples. Given that it is also 13 years old I thought there might be
>fresher information out there.
>
>Thanks,
>graham 

E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.



More information about the NANOG mailing list