I really did try looking before I sent the email but couldn't quickly find what I was looking for.
I am looking for information regarding standard ACLs that operators may be using at the internet edge of their network, on peering and transit connections, wherein you are filtering ingress packets such as those sourced from UDP port 19 for instance. I've found incomplete conceptual discussions about it nothing that seemed concrete or complete.
This doesn't seem quite like it is BCP38 and more like this is BCP84, but it only talks about use of ACLs in section 2.1 without providing any examples. Given that it is also 13 years old I thought there might be fresher information out there.
Thanks,
graham
To block UDP port 19 you can add something like:
deny udp any eq 19 any
deny udp any any eq 19
This will prevent the DDoS attack traffic entering your network (source
port 19) as well as the hosts scanning around looking for hosts on your
network that can be used in amplification attacks (destination port 19).
Please note that this will not block the UDP fragments that come with
these attacks which have no L4 port to block. You can possibly do
policing on UDP fragments to address this.
I¹d also suggest adding:
deny udp any eq 17 any
deny udp any any eq 17
deny udp any eq 123 any packet-length eq 468
deny udp any eq 520 any
deny udp any any eq 520
deny udp any eq 1900 any
deny udp any any eq 1900
Some people will complain that you shouldn¹t block UDP port 1900 because
it¹s above 1023 but believe me it¹s worth it.
also to block invalid source IPs to prevent some spoofed traffic from
coming into your network:
deny ipv4 0.0.0.0 0.255.255.255 any
deny ipv4 10.0.0.0 0.255.255.255 any
deny ipv4 11.0.0.0 0.255.255.255 any
deny ipv4 22.0.0.0 0.255.255.255 any
deny ipv4 30.0.0.0 0.255.255.255 any
deny ipv4 100.64.0.0 0.63.255.255 any
deny ipv4 127.0.0.0 0.255.255.255 any
deny ipv4 169.254.0.0 0.0.255.255 any
deny ipv4 172.16.0.0 0.15.255.255 any
deny ipv4 192.0.0.0 0.0.0.255 any
deny ipv4 192.0.2.0 0.0.0.255 any
deny ipv4 192.168.0.0 0.0.255.255 any
deny ipv4 198.18.0.0 0.1.255.255 any
deny ipv4 198.51.0.0 0.0.0.255 any
deny ipv4 203.0.113.0 0.0.0.255 any
deny ipv4 224.0.0.0 31.255.255.255 any
For BCP38 and 84 you would want to enable uRPF
https://en.wikipedia.org/wiki/Reverse_path_forwarding
https://tools.ietf.org/html/rfc3704
Rich Compton | Principal Eng | 314.596.2828
14810 Grasslands Dr, Englewood, CO 80112
On 5/26/17, 11:39 AM, "NANOG on behalf of Graham Johnston"
These .pdf presos may be of interest:
<https://app.box.com/s/ko8lk4vlh1835p36na3u>
<https://app.box.com/s/xznjloitly2apixr5xge>
They talk about iACL and tACL design philosophy.
What traffic you should permit/deny on your network is, of course, situationally-specific. Depends on what kind of network it is, what servers/services/applications/users you have, et. al. You may need one set of ACLs at the peering/transit edge, and other, more specific ACLs, at the IDC distribution gateway, customer aggregation gateway, et. al.
When I was doing some research in regards to the same subject I ran across this doc. I've found it to be very helpful.
http://nabcop.org/index.php/DDoS-DoS-attack-BCOP
Kody Vicknair
Network Engineer
Tel: 985.536.1214
Fax: 985.536.0300
Email: kvicknair@reservetele.com
Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084
I'll go out on a limb and suggest that except for a very basic home/SOHO
network, "You may need" should be "You will probably need".
This is the correct URI for the first preso, apologies:
<https://app.box.com/s/osk4po8ietn1zrjjmn8b>
to be honest, i do not block chargen etc at my borders; i scan hosts
and turn off silly services on the hosts. but i do not have myriads of
hosts in a soft gooey inside.
what i block at my borders are 135-139, 161 (except for holes for
measurement stations), 445, 514, stuff such as that.
ykmv
randy
When I was doing some research in regards to the same subject I ran across this doc. I've found it to be very helpful.
http://nabcop.org/index.php/DDoS-DoS-attack-BCOP
Causally applied RPF checks applied to transit and peer interfaces
especially exchange fabrics have a very high-liklihood of blackholing
traffic you wanted particularly during maintenance if not casually
implemented. A very careful read rfc3704/bcp 84 is a necessary part of
implementing bcp 38 filters.
Your bogon list has a few non-bogons, and is missing a few current bogon.
Team Cymru keep a good resource for this: http://www.team-cymru.
org/bogon-dotted-decimal.html
Regards,
Dave
Dear team,
Your bogon list has a few non-bogons, and is missing a few current
bogon.
Team Cymru keep a good resource for this: http://www.team-cymru.
org/bogon-dotted-decimal.html
Thank you, Dave!
The full list of formats and styles can be found here:
<http://www.team-cymru.org/bogon-reference.html>
Be well,
Rob.
- --
Rabbi Rob Thomas Team Cymru
"It is easy to believe in freedom of speech for those with whom we
agree." - Leo McKern