[Snort-users] Re: Snort-users digest, Vol 1 #1929 - 1 msg

Joe Pampel joe at ...3851...
Fri May 31 12:52:03 EDT 2002


One more really good reason if you haven't already.. check out Rob Thomas' secure IOS config.
The mainstay of his serial interface ACL are the blocks of either unallocated IP's or private IP's.
You can blackhole them right at your edge router.. (private IP traffic, meet interface Null0. :-)  He updates
them as they get allocated too, so check in every so often to keep up to date. I get lots
of traffic not only from RFC-1918's but also unallocated blocks as well as the MSFT block (169.254.0.0)
If I ran the world every ISP would use this ACL on every ingress point and cxl service to any
miscreant with 3 strikes for sending packets from an unroutable address on attempted DDoS charges.
Until then, it's up to us I'm afraid. 

Just cut and paste...  

and hey - Be careful out there.

- Joe

that URL again:  http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html

excerpt pasted below..

! Deny any packets from the RFC 1918, IANA reserved, test,
! multicast as a source, and loopback netblocks to block
! attacks from commonly spoofed IP addresses.
access-list 2010 remark Anti-bogon ACL
! Claims it came from the inside network, yet arrives on the
! outside (read: Internet) interface. Do not use this if CEF
! has been configured to take care of spoofing.
! access-list 2010 deny ip 6.6.6.0 0.0.0.255 any log-input
! access-list 2010 deny ip 7.7.7.0 0.0.0.255 any log-input
! Bogons
access-list 2010 deny ip 1.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 2.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 5.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 7.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 23.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 27.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 31.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 36.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 37.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 39.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 41.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 42.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 49.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 50.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 58.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 59.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 60.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 69.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 70.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 71.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 72.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 73.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 74.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 75.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 76.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 77.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 78.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 79.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 82.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 83.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 84.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 85.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 86.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 87.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 88.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 89.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 90.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 91.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 92.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 93.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 94.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 95.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 96.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 97.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 98.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 99.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 100.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 101.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 102.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 103.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 104.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 105.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 106.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 107.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 108.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 109.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 110.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 111.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 112.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 113.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 114.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 115.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 116.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 117.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 118.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 119.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 120.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 121.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 122.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 123.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 124.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 125.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 126.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 169.254.0.0 0.0.255.255 any log-input
access-list 2010 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 2010 deny ip 192.0.2.0 0.0.0.255 any log-input
access-list 2010 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 2010 deny ip 197.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 201.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 221.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 222.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 223.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 224.0.0.0 31.255.255.255 any log-input
! Drop all ICMP fragments
access-list 2010 deny icmp any any fragments log-input

etc
etc
etc



--__--__--

Message: 1
Date: Fri, 31 May 2002 13:25:35 -0600
From: Rich Adamson  <radamson at ...2127...>
Subject: Re: [Snort-users] (no subject)
To: snort-users at lists.sourceforge.net 
Cc: Hugo Ferr  <snortgrp at ...125...>

There are a lot of ISPs (including Sprint) that do not filter the non-routable
addresses at every router. In some cases, these addresses can carry on a full 
session. The default condition for most routers is to allow the routing.
In your case, you might try tracerouting to it (assuming you are not using
those same addresses).

> Snort LAN sensor
> Here is the line from acid :
> Source
> destination
>       DOS MSDTC attempt         207.35.159.36:80        10.0.0.249:3372
> TCP
> 
> 
> How is this possible? 10.0.0.249 is a proxy machine taht doesn't have public
> ip. How somebody can connect to non-routable ip from the outside world?
> Or should I interpret this line as something else?




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/snort-users 


End of Snort-users Digest


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************




More information about the Snort-users mailing list