[194737] in North American Network Operators' Group
Re: BCP38/84 and DDoS ACLs
daemon@ATHENA.MIT.EDU (Dave Bell)
Sat May 27 05:54:21 2017
X-Original-To: nanog@nanog.org
In-Reply-To: <D54DC566.AABA9%rich.compton@charter.com>
From: Dave Bell <me@geordish.org>
Date: Sat, 27 May 2017 10:54:15 +0100
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Your bogon list has a few non-bogons, and is missing a few current bogon.
Team Cymru keep a good resource for this: http://www.team-cymru.
org/bogon-dotted-decimal.html
Regards,
Dave
On 26 May 2017 5:01 pm, "Compton, Rich A" <Rich.Compton@charter.com> wrote:
> To block UDP port 19 you can add something like:
> deny udp any eq 19 any
> deny udp any any eq 19
>
> This will prevent the DDoS attack traffic entering your network (source
> port 19) as well as the hosts scanning around looking for hosts on your
> network that can be used in amplification attacks (destination port 19).
> Please note that this will not block the UDP fragments that come with
> these attacks which have no L4 port to block. You can possibly do
> policing on UDP fragments to address this.
>
> I=C2=B9d also suggest adding:
> deny udp any eq 17 any
> deny udp any any eq 17
>
> deny udp any eq 123 any packet-length eq 468
>
> deny udp any eq 520 any
> deny udp any any eq 520
>
> deny udp any eq 1900 any
> deny udp any any eq 1900
>
> Some people will complain that you shouldn=C2=B9t block UDP port 1900 bec=
ause
> it=C2=B9s above 1023 but believe me it=C2=B9s worth it.
>
>
>
> also to block invalid source IPs to prevent some spoofed traffic from
> coming into your network:
>
> deny ipv4 0.0.0.0 0.255.255.255 any
> deny ipv4 10.0.0.0 0.255.255.255 any
> deny ipv4 11.0.0.0 0.255.255.255 any
> deny ipv4 22.0.0.0 0.255.255.255 any
> deny ipv4 30.0.0.0 0.255.255.255 any
> deny ipv4 100.64.0.0 0.63.255.255 any
> deny ipv4 127.0.0.0 0.255.255.255 any
> deny ipv4 169.254.0.0 0.0.255.255 any
> deny ipv4 172.16.0.0 0.15.255.255 any
> deny ipv4 192.0.0.0 0.0.0.255 any
> deny ipv4 192.0.2.0 0.0.0.255 any
> deny ipv4 192.168.0.0 0.0.255.255 any
> deny ipv4 198.18.0.0 0.1.255.255 any
> deny ipv4 198.51.0.0 0.0.0.255 any
> deny ipv4 203.0.113.0 0.0.0.255 any
> deny ipv4 224.0.0.0 31.255.255.255 any
>
>
> For BCP38 and 84 you would want to enable uRPF
> https://en.wikipedia.org/wiki/Reverse_path_forwarding
> https://tools.ietf.org/html/rfc3704
>
>
>
> Rich Compton | Principal Eng | 314.596.2828
> 14810 Grasslands Dr, Englewood, CO 80112
>
>
>
>
>
>
> On 5/26/17, 11:39 AM, "NANOG on behalf of Graham Johnston"
> <nanog-bounces@nanog.org on behalf of johnstong@westmancom.com> wrote:
>
> >I really did try looking before I sent the email but couldn't quickly
> >find what I was looking for.
> >
> >I am looking for information regarding standard ACLs that operators may
> >be using at the internet edge of their network, on peering and transit
> >connections, wherein you are filtering ingress packets such as those
> >sourced from UDP port 19 for instance. I've found incomplete conceptual
> >discussions about it nothing that seemed concrete or complete.
> >
> >This doesn't seem quite like it is BCP38 and more like this is BCP84, bu=
t
> >it only talks about use of ACLs in section 2.1 without providing any
> >examples. Given that it is also 13 years old I thought there might be
> >fresher information out there.
> >
> >Thanks,
> >graham
>
> E-MAIL CONFIDENTIALITY NOTICE:
> The contents of this e-mail message and any attachments are intended
> solely for the addressee(s) and may contain confidential and/or legally
> privileged information. If you are not the intended recipient of this
> message or if this message has been addressed to you in error, please
> immediately alert the sender by reply e-mail and then delete this message
> and any attachments. If you are not the intended recipient, you are
> notified that any use, dissemination, distribution, copying, or storage o=
f
> this message or any attachment is strictly prohibited.
>
>
