Traffic which should be blocked by routers (Cisco specific)
There are a number of Internet addresses and packet types which a site router should always block. In most cases there is no legitimate reason for this traffic to appear on a public network, so any occurence indicates either a misconfigured host somewhere on the Internet or else hostile activity.
Source routed packets
Private Address Spaces
A number of address ranges are reserved for private use (see RFC1918) or for test purposes. These should never be directly connected to the Internet, so packets with these addresses should never be seen on the external network. A number of mis-configured hosts do generate these packets, they can also be used by intruders to confuse local network equipment. Any packet with an address in these ranges should therefore be rejected by the site router:
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) 169.254.0.0 - 169.254.255.255 (169.254/16 prefix) 192.0.2.0 - 192.0.2.255 (192.0.2/24 prefix)
These can be blocked with
! Block packets from private networks, RFC1918. access-list nnn deny ip 10.0.0.0 0.255.255.255 any log access-list nnn deny ip 172.16.0.0 0.15.255.255 any log access-list nnn deny ip 192.168.0.0 0.0.255.255 any log ! Other private address ranges. access-list nnn deny ip 169.254.0.0 0.0.255.255 any log access-list nnn deny ip 192.0.2.0 0.0.0.255 any log
A common technique used to attack sites is to create packets which appear to be from local IP addresses. The site router is in an ideal place to detect and prevent these attacks, since it can detect when packets with internal source addresses arrive on the external interface of the router. These packets should therefore be rejected.
! Block packets from spoofed networks. ! These are our subnets and cannot be outside the local LAN ! 1) if you have a class B address: access-list nnn deny ip n1.n2.0.0 0.0.255.255 any log ! 2) or for class C addresses, one or more of the form: access-list nnn deny ip n1.n2.n3.0 0.0.0.255 any log
We also recommend that sites comply with Internet best practice by blocking packets going out which do not have an internal source address. This prevents your site being used to commit the kind of attacks described in RFC2267.
Note. This needs to be done on an “out” access list attached to the “outside” interface on the router, unlike the other examples which will usually be used on “in” access lists on the “outside” interface.
! block packets going out which do not have an internal address ! 1) if you have a class B address: access-list nnn permit ip n1.n2.0.0 0.0.255.255 any ! 2) or for class C addresses, one or more of the form: access-list nnn permit ip n1.n2.n3.0 0.0.0.255 any
Where n1.n2.0.0 or n1.n2.n3.0 is your own internal address space.
Source Routed Packets.
Source routing is a debugging technique which allows packets to explicitly state the route they wish to follow to their destination rather than following normal routing rules. However source routed packets can also be used to defeat some access control mechanisms. There is rarely a legitimate need to use source routed packets, so they are best blocked.
no ip source-route
Smurfing is a popular hacking technique by which attackers can persuade your network to perform a denial of service attack on a machine somewhere else on the Internet. Such attacks can also generate large quantities of traffic on your network, so are well worth preventing for your own sake as well as being a good neighbour. Smurfing uses network broadcasts, which should never arrive in your network from outside. The simplest way to avoid being used in this kind of attack is to include the line
no ip directed-broadcast
Note that Cisco IOS v12 does this by default.
If you cannot use the shortcut command above, then smurfing can also be blocked using normal access control lists to implement the following rules:
deny packets with broadcast source or destination addresses (255/8 and 0/8) deny packets with localhost source or destination addresses (127/8) deny packets with network broadcast destination addresses (e.g. n1.n2.n3.255 and n1.n2.n3.0 for a Class C network) ! Block packets from broadcast addresses, network numbers ! and localhost access-list nnn deny ip 0.0.0.0 0.255.255.255 any log access-list nnn deny ip 127.0.0.0 0.255.255.255 any log access-list nnn deny ip 255.0.0.0 0.255.255.255 any log ! and to them as well access-list nnn deny ip any 0.0.0.0 0.255.255.255 log access-list nnn deny ip any 127.0.0.0 0.255.255.255 log access-list nnn deny ip any 255.0.0.0 0.255.255.255 log ! Block directed broadcast from entering networks, ! see CERT Advisory CA-98.01.smurf ! 1) for a class B network access-list nnn deny ip any host n1.n2.255.255 log [ Replace n1.n2 with your network broadcast ] access-list nnn deny ip any host n1.n2.0.0 log [ Replace n1.n2 with your network address ] ! 2) or for a class C network access-list nnn deny ip any host n1.n2.n3.255 log [ Replace n1.n2.n3 with your network broadcast ] access-list nnn deny ip any host n1.n2.n3.0 log [ Replace n1.n2.n3 with your network address ]