[25249] in North American Network Operators' Group
Re: Martian list of IP's to block???
daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Fri Oct 1 11:48:11 1999
From: bmanning@vacation.karoshi.com
Message-Id: <199910011549.IAA02509@vacation.karoshi.com>
To: rfuller@3x.com
Date: Fri, 1 Oct 1999 08:49:23 -0700 (PDT)
Cc: jmbrown@ihighway.net (John M. Brown), nanog@merit.edu
In-Reply-To: <OF1A472F67.E919BB88-ON852567FD.0041BD2C@3x.com> from "rfuller@3x.com" at Oct 01, 1999 08:02:23 AM
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
> I used the ones Cisco outlined in their document IOS Essentials every ISP
> Should Know. Here is a copy of the list I use for out clients:
>
> deny ip host 0.0.0.0 any log
> deny ip 127.0.0.0 0.255.255.255 any log
> deny ip 10.0.0.0 0.255.255.255 any log
> deny ip 172.16.0.0 0.15.255.255 any log
> deny ip 192.168.0.0 0.0.255.255 any log
> deny ip xxx.xxx.xxx.0 0.0.0.255 any log
> deny ip 224.0.0.0 31.255.255.255 any log
>
> We are denyingy anyone that claims that their IP address is 0.0.0.0,
> Loopback addresses, all of the RFC 1918 addresses, address coming into us
> claiming they belong to our subnet, and multicast addresses. It seems to
> work for us. I also turn of ip directed broadcasts to minimize smurf/DoS
> attacks. If you would like a copy of the document I used, let me know and
> I'll e-mail a copy to you.
Its also useful to block
192.0.2.0/24 - the test network. so designated for documentation use
169.254.0.0/16 - the link-local network.
I'm not convinced that blocking native multicast is a good idea.
--bill
