03-12-2003 05:18 AM - edited 02-20-2020 09:20 PM
I need to put AntiSpoofing access-list on my boarder router.
Can some one give me some examples?\
Thanks
03-12-2003 06:06 AM
RFC 2267 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing January 1998, http://www.landfield.com/ftp/rfc/rfc2267.txt , provides general guidelines on Ingress and Egress filtering.
No one from the general Internet should be sending you packets with a source address from your own network. By filtering packets on your routers that connect your network to the Internet, you can permit only packets with valid source IP addresses to leave your network and get into the Internet. For example, if your internal network is 200.200.200.0/24, put an acl that only allows outbound packets with a source of 200.200.200.0/24 (or if your using NAT, only those IPs). And your inbound acl shouldn't allow packets with a source IP of your internal network.
A simple outbound example (not including filtering by port):
access-list 110 permit ip 200.200.200.0 0.0.0.255 any
access-list 110 deny ip any any log
!
interface serial 0/1
description connection to internet
ip access-group 110 out
An sample inbound example can be seen at: http://www.rpatrick.com/tech/acl/ .
Key is to deny source packets with an IP of your network and also to only open the ports that are required.
eg.
access-list 180 deny ip host 0.0.0.0 any log
access-list 180 deny ip 0.0.0.0 1.255.255.255 any log
access-list 180 deny ip 10.0.0.0 0.255.255.255 any log
access-list 180 deny ip 172.16.0.0 0.15.255.255 any log
access-list 180 deny ip 192.168.0.0 0.0.255.255 any log
access-list 180 deny ip 224.0.0.0 31.255.255.255 any log
access-list 180 deny ip 200.200.200.0 0.0.0.255 any log (your network)
access-list 180 permit tcp .....
Hope it helps.
Steve
04-21-2003 04:29 PM
A Reflexive ACL can helps you, it depends your aplication.
I hope that helps.
mc
07-15-2019 11:50 AM
07-20-2019 11:41 AM
Those suggested access lists are checking the source address of traffic and make sense when applied on public facing interfaces of your edge routers. They could be quite harmful if applied on inward facing interfaces of edge routers or on routers inside your network. It is likely that your network will be using some subnets from 10, or from 172.16, or from 192.168 and you would not want to deny their traffic. So apply the anti spoofing access lists only on the edge routers.
HTH
Rick
03-12-2003 09:04 PM
I also recommend adding 127.0.0.0/0.255.255.255 to the excellent example provided by mr. barlow.
The point of the ACL is to deny all traffic which can never be valid to enter the Internet facing interface. This includes all traffic sourced from Private IPs, your own IPs, loopbacks, etc.
04-17-2003 01:38 PM
What about
ip route 10.0.0.0 255.0.0.0 Null0
ip route 127.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
I agree that "access-list" gives you the option of logging, but what do you think will be the pros and cons here?
Kind regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: