Your bogon list has a few non-bogons, and is missing a few current bogon. Team Cymru keep a good resource for this: http://www.team-cymru. org/bogon-dotted-decimal.html
Regards, Dave On 26 May 2017 5:01 pm, "Compton, Rich A" <[email protected]> wrote: > To block UDP port 19 you can add something like: > deny udp any eq 19 any > deny udp any any eq 19 > > This will prevent the DDoS attack traffic entering your network (source > port 19) as well as the hosts scanning around looking for hosts on your > network that can be used in amplification attacks (destination port 19). > Please note that this will not block the UDP fragments that come with > these attacks which have no L4 port to block. You can possibly do > policing on UDP fragments to address this. > > I¹d also suggest adding: > deny udp any eq 17 any > deny udp any any eq 17 > > deny udp any eq 123 any packet-length eq 468 > > deny udp any eq 520 any > deny udp any any eq 520 > > deny udp any eq 1900 any > deny udp any any eq 1900 > > Some people will complain that you shouldn¹t block UDP port 1900 because > it¹s above 1023 but believe me it¹s worth it. > > > > also to block invalid source IPs to prevent some spoofed traffic from > coming into your network: > > deny ipv4 0.0.0.0 0.255.255.255 any > deny ipv4 10.0.0.0 0.255.255.255 any > deny ipv4 11.0.0.0 0.255.255.255 any > deny ipv4 22.0.0.0 0.255.255.255 any > deny ipv4 30.0.0.0 0.255.255.255 any > deny ipv4 100.64.0.0 0.63.255.255 any > deny ipv4 127.0.0.0 0.255.255.255 any > deny ipv4 169.254.0.0 0.0.255.255 any > deny ipv4 172.16.0.0 0.15.255.255 any > deny ipv4 192.0.0.0 0.0.0.255 any > deny ipv4 192.0.2.0 0.0.0.255 any > deny ipv4 192.168.0.0 0.0.255.255 any > deny ipv4 198.18.0.0 0.1.255.255 any > deny ipv4 198.51.0.0 0.0.0.255 any > deny ipv4 203.0.113.0 0.0.0.255 any > deny ipv4 224.0.0.0 31.255.255.255 any > > > For BCP38 and 84 you would want to enable uRPF > https://en.wikipedia.org/wiki/Reverse_path_forwarding > https://tools.ietf.org/html/rfc3704 > > > > Rich Compton | Principal Eng | 314.596.2828 > 14810 Grasslands Dr, Englewood, CO 80112 > > > > > > > On 5/26/17, 11:39 AM, "NANOG on behalf of Graham Johnston" > <[email protected] on behalf of [email protected]> wrote: > > >I really did try looking before I sent the email but couldn't quickly > >find what I was looking for. > > > >I am looking for information regarding standard ACLs that operators may > >be using at the internet edge of their network, on peering and transit > >connections, wherein you are filtering ingress packets such as those > >sourced from UDP port 19 for instance. I've found incomplete conceptual > >discussions about it nothing that seemed concrete or complete. > > > >This doesn't seem quite like it is BCP38 and more like this is BCP84, but > >it only talks about use of ACLs in section 2.1 without providing any > >examples. Given that it is also 13 years old I thought there might be > >fresher information out there. > > > >Thanks, > >graham > > E-MAIL CONFIDENTIALITY NOTICE: > The contents of this e-mail message and any attachments are intended > solely for the addressee(s) and may contain confidential and/or legally > privileged information. If you are not the intended recipient of this > message or if this message has been addressed to you in error, please > immediately alert the sender by reply e-mail and then delete this message > and any attachments. If you are not the intended recipient, you are > notified that any use, dissemination, distribution, copying, or storage of > this message or any attachment is strictly prohibited. > >
