Martian list of IP's to block???

I used the ones Cisco outlined in their document IOS Essentials every ISP
Should Know. Here is a copy of the list I use for out clients:

    deny ip host 0.0.0.0 any log
    deny ip 127.0.0.0 0.255.255.255 any log
    deny ip 10.0.0.0 0.255.255.255 any log
    deny ip 172.16.0.0 0.15.255.255 any log
    deny ip 192.168.0.0 0.0.255.255 any log
    deny ip xxx.xxx.xxx.0 0.0.0.255 any log
    deny ip 224.0.0.0 31.255.255.255 any log

We are denyingy anyone that claims that their IP address is 0.0.0.0,
Loopback addresses, all of the RFC 1918 addresses, address coming into us
claiming they belong to our subnet, and multicast addresses. It seems to
work for us. I also turn of ip directed broadcasts to minimize smurf/DoS
attacks. If you would like a copy of the document I used, let me know and
I'll e-mail a copy to you.

  Its also useful to block

  192.0.2.0/24 - the test network. so designated for documentation use
  169.254.0.0/16 - the link-local network.

  I'm not convinced that blocking native multicast is a good idea.
  
--bill

This is blocking packets sourced with a multicast ip, not
destined for multicast.

  ex: when i source multicast traffic the src ip is the ip of
the machine sending the traffic, and the dst is the ip of the multicast
group.

  so traffic would go from (for example) puck.nether.net (204.42.254.5)
to the multicast group for Places all over the World (224.2.172.238).

  This acl would prevent someone from sending a ping to your
router, and faking the src ip to be something like all-routers.mcast.net,
and having you start ping flooding all the multicast routers,
or multicast hosts out on the internet. (Think semi smurf-attack like).

  - jared

}> deny ip 224.0.0.0 31.255.255.255 any log

...

} I'm not convinced that blocking native multicast is a good idea.

I think it makes sense if you're using this list to block source
addresses, or if you are applying this list to unicast routes only. We
also block 224.0.0.0/4, but not on MBGP-learned routes.

-andy