North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Martian list of IP's to block???
> I used the ones Cisco outlined in their document IOS Essentials every ISP > Should Know. Here is a copy of the list I use for out clients: > > deny ip host 0.0.0.0 any log > deny ip 127.0.0.0 0.255.255.255 any log > deny ip 10.0.0.0 0.255.255.255 any log > deny ip 172.16.0.0 0.15.255.255 any log > deny ip 192.168.0.0 0.0.255.255 any log > deny ip xxx.xxx.xxx.0 0.0.0.255 any log > deny ip 224.0.0.0 31.255.255.255 any log > > We are denyingy anyone that claims that their IP address is 0.0.0.0, > Loopback addresses, all of the RFC 1918 addresses, address coming into us > claiming they belong to our subnet, and multicast addresses. It seems to > work for us. I also turn of ip directed broadcasts to minimize smurf/DoS > attacks. If you would like a copy of the document I used, let me know and > I'll e-mail a copy to you. Its also useful to block 192.0.2.0/24 - the test network. so designated for documentation use 169.254.0.0/16 - the link-local network. I'm not convinced that blocking native multicast is a good idea. --bill
|