On Sun, 27 Jan 2002, Bugtraq Mailing Lists wrote: > you should start implementing ingress filtering on your routers > so that this spoofed attack will not happen again by your end users. > > if you have a cisco based router: > conf t > int e0/0 <-- do this on all of your interfaces > ip verify unicast reverse-path Of course this only works if you have a single connection to the internet. If you have multiple connections with multiple BGP sessions, this will most likely break many things. Instead you want some basic incoming and outgoing access lists thrown on the interfaces: Incoming filter similar to this might work: access-list 120 deny ip your.net.block.goes.here your.inverse.netmask.goes.here any log access-list 120 deny ip 224.0.0.0 31.255.255.255 any log access-list 120 deny ip 192.168.0.0 0.0.255.255 any log access-list 120 deny ip 172.16.0.0 0.15.255.255 any log access-list 120 permit ip 128.0.0.0 127.255.255.255 any access-list 120 deny ip 96.0.0.0 31.255.255.255 any log access-list 120 deny ip 23.0.0.0 8.255.255.255 any log access-list 120 deny ip 10.0.0.0 0.255.255.255 any log access-list 120 deny ip 0.0.0.0 1.255.255.255 any log access-list 120 permit ip any any As you should be a good internet denisen and not spew crap onto the backbone that might cause problems, you probably should filter egress as well. Simplest egress filter would be: access-list 130 permit ip your.net.block.goes.here your.inverse.netmask.goes.here any any access-list 130 deny ip any any Once you built your access lists, and are satisfied with them, you need to do something like the following example on all of your external interfaces: c7204(config)#int e 2/3 c7204(config-if)#ip access-group 120 in c7204(config-if)#ip access-group 130 out c7204(config-if)#end Signed: //Stany P.S. This is not meant to be a replacement for someone with Cisco skill - there are many clued in people out there that are jobless at the moment, and last time I tried to write a comprehensive instructions for Cisco security for our IX, I got in no-nonsense way informed that I really should not take the bread and butter from the CCIEs, least I want my employer to be packeted/nullrouted off the face of the internet. -- +-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+ | "Backups we have; it's restores that we find tricky." Richard Letts at ASR | | This message is powered by JOLT! For all the sugar and twice the caffeine. | +-+ 10570 + My words are my own. LARTs are provided free of charge + 10533 +-+ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 10:22:02 PST