BCP38/84 and DDoS ACLs

Dave Bell me at geordish.org
Sat May 27 09:54:15 UTC 2017


Your bogon list has a few non-bogons, and is missing a few current bogon.

Team Cymru keep a good resource for this: http://www.team-cymru.
org/bogon-dotted-decimal.html

Regards,
Dave

On 26 May 2017 5:01 pm, "Compton, Rich A" <Rich.Compton at charter.com> wrote:

> To block UDP port 19 you can add something like:
> deny udp any eq 19 any
> deny udp any any eq 19
>
> This will prevent the DDoS attack traffic entering your network (source
> port 19) as well as the hosts scanning around looking for hosts on your
> network that can be used in amplification attacks (destination port 19).
> Please note that this will not block the UDP fragments that come with
> these attacks which have no L4 port to block.  You can possibly do
> policing on UDP fragments to address this.
>
> I¹d also suggest adding:
> deny udp any eq 17 any
> deny udp any any eq 17
>
> deny udp any eq 123 any packet-length eq 468
>
> deny udp any eq 520 any
> deny udp any any eq 520
>
> deny udp any eq 1900 any
> deny udp any any eq 1900
>
> Some people will complain that you shouldn¹t block UDP port 1900 because
> it¹s above 1023 but believe me it¹s worth it.
>
>
>
> also to block invalid source IPs to prevent some spoofed traffic from
> coming into your network:
>
> deny ipv4 0.0.0.0 0.255.255.255 any
> deny ipv4 10.0.0.0 0.255.255.255 any
> deny ipv4 11.0.0.0 0.255.255.255 any
> deny ipv4 22.0.0.0 0.255.255.255 any
> deny ipv4 30.0.0.0 0.255.255.255 any
> deny ipv4 100.64.0.0 0.63.255.255 any
> deny ipv4 127.0.0.0 0.255.255.255 any
> deny ipv4 169.254.0.0 0.0.255.255 any
> deny ipv4 172.16.0.0 0.15.255.255 any
> deny ipv4 192.0.0.0 0.0.0.255 any
> deny ipv4 192.0.2.0 0.0.0.255 any
> deny ipv4 192.168.0.0 0.0.255.255 any
> deny ipv4 198.18.0.0 0.1.255.255 any
> deny ipv4 198.51.0.0 0.0.0.255 any
> deny ipv4 203.0.113.0 0.0.0.255 any
> deny ipv4 224.0.0.0 31.255.255.255 any
>
>
> For BCP38 and 84 you would want to enable uRPF
> https://en.wikipedia.org/wiki/Reverse_path_forwarding
> https://tools.ietf.org/html/rfc3704
>
>
>
> Rich Compton   |     Principal Eng     |   314.596.2828
> 14810 Grasslands  Dr,    Englewood,      CO    80112
>
>
>
>
>
>
> On 5/26/17, 11:39 AM, "NANOG on behalf of Graham Johnston"
> <nanog-bounces at nanog.org on behalf of johnstong at westmancom.com> wrote:
>
> >I really did try looking before I sent the email but couldn't quickly
> >find what I was looking for.
> >
> >I am looking for information regarding standard ACLs that operators may
> >be using at the internet edge of their network, on peering and transit
> >connections, wherein you are filtering ingress packets such as those
> >sourced from UDP port 19 for instance. I've found incomplete conceptual
> >discussions about it nothing that seemed concrete or complete.
> >
> >This doesn't seem quite like it is BCP38 and more like this is BCP84, but
> >it only talks about use of ACLs in section 2.1 without providing any
> >examples. Given that it is also 13 years old I thought there might be
> >fresher information out there.
> >
> >Thanks,
> >graham
>
> E-MAIL CONFIDENTIALITY NOTICE:
> The contents of this e-mail message and any attachments are intended
> solely for the addressee(s) and may contain confidential and/or legally
> privileged information. If you are not the intended recipient of this
> message or if this message has been addressed to you in error, please
> immediately alert the sender by reply e-mail and then delete this message
> and any attachments. If you are not the intended recipient, you are
> notified that any use, dissemination, distribution, copying, or storage of
> this message or any attachment is strictly prohibited.
>
>


More information about the NANOG mailing list