Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Martian list of IP's to block???

  • From: bmanning
  • Date: Fri Oct 01 11:49:56 1999

> I used the ones Cisco outlined in their document IOS Essentials every ISP
> Should Know.  Here is a copy of the list I use for out clients:
> 
>     deny   ip host 0.0.0.0 any log
>     deny   ip 127.0.0.0 0.255.255.255 any log
>     deny   ip 10.0.0.0 0.255.255.255 any log
>     deny   ip 172.16.0.0 0.15.255.255 any log
>     deny   ip 192.168.0.0 0.0.255.255 any log
>     deny   ip xxx.xxx.xxx.0 0.0.0.255 any log
>     deny   ip 224.0.0.0 31.255.255.255 any log
> 
> We are denyingy anyone that claims that their IP address is 0.0.0.0,
> Loopback addresses, all of the RFC 1918 addresses, address coming into us
> claiming they belong to our subnet, and multicast addresses.  It seems to
> work for us.  I also turn of ip directed broadcasts to minimize smurf/DoS
> attacks.  If you would like a copy of the document I used, let me know and
> I'll e-mail a copy to you.

	Its also useful to block 

	192.0.2.0/24  - the test network. so designated for documentation use
	169.254.0.0/16 - the link-local network.

	I'm not convinced that blocking native multicast is a good idea.
	
--bill





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.