Ping flooding (fwd)

Mailman List Mirror (Read Only)
1

Actually it doesn't prove that. The filter would /allow/ the pavckets to
pass through the router since they were coming from one of his networks. If
everyone else on the planet had such a rule it would prove that it /was/
coming from him.

Justin Newton
Internet Architect
Erol's Internet Services

2

Personally, I use the configuration script listed below on my
internet-facing interface. This guarantees that all packets coming into
my net are tagged with a source address OUTSIDE my net, and are bound for
a host inside my net. Likewise, outbound packets MUST have an origin
inside my net.

This protects me from address spoofing from the rest of the net, and
protects the rest of the net from my users.

I've got similar filters on all of my customer-facing interfaces.

-forrestc@imach.com

-- Start of Included File --
!
! Configuration Script for IP Filtering on Internet-facing interface
! 101 is inbound
! 102 is outbound
!
int s 0
no ip access-group 101 in
no ip access-group 102 out
exit
                                                                     
no access-list 101
                                                                     
access-list 101 deny ip 204.94.230.0 0.0.1.255 any
access-list 101 deny ip 204.182.240.0 0.0.15.255 any
access-list 101 deny ip 199.5.171.0 0.0.0.255 any
access-list 101 deny ip 199.5.172.0 0.0.0.255 any
access-list 101 deny ip 205.166.211.0 0.0.0.255 any
access-list 101 deny ip 206.127.64.0 0.0.63.255 any
access-list 101 deny ip 206.58.180.0 0.0.1.255 any
access-list 101 deny ip 206.58.182.0 0.0.0.255 any
access-list 101 permit ip any 204.94.230.0 0.0.1.255
access-list 101 permit ip any 204.182.240.0 0.0.15.255
access-list 101 permit ip any 199.5.171.0 0.0.0.255
access-list 101 permit ip any 199.5.172.0 0.0.0.255
access-list 101 permit ip any 205.166.211.0 0.0.0.255
access-list 101 permit ip any 206.127.64.0 0.0.63.255
access-list 101 permit ip any 206.58.180.0 0.0.1.255
access-list 101 permit ip any 206.58.182.0 0.0.0.255
                                                      
no access-list 102
access-list 102 permit ip 204.94.230.0 0.0.1.255 any
access-list 102 permit ip 204.182.240.0 0.0.15.255 any
access-list 102 permit ip 199.5.171.0 0.0.0.255 any
access-list 102 permit ip 199.5.172.0 0.0.0.255 any
access-list 102 permit ip 205.166.211.0 0.0.0.255 any
access-list 102 permit ip 206.127.64.0 0.0.63.255 any
access-list 102 permit ip 206.58.180.0 0.0.1.255 any
access-list 102 permit ip 206.58.182.0 0.0.0.255 any
                                                      
int s 0
ip access-group 101 in
ip access-group 102 out
exit
-- End of Included File ---