Preventing Basic DDoS Attacks – Part 2 of 5

By Anthony Sequeira on June 22nd, 2011

Since many of the DDoS attacks seek to spoof source IP addressing, it is very important to protect internal networks by filtering outside interfaces for “bogon” sources. What in the world is a bogon? Well, this is the slang that was adopted to refer to source IP addresses that should never show up on your outside (Internet-facing) interfaces.

It is a fun and worthwhile CCIE Security lab practice to see how many of these filter entries you can come up with off of the top of your head. When you are creating these filters in your production network, you can use RFCs like 3330 – Special-Use IPv4 Addresses in order to assist you.

Probably some of the first Access Control List entries (ACEs) that students think of here is the RFC 1918 private use only IP address ranges. These filter entries would look as follows:

access-list 101 deny ip any
access-list 101 deny ip any
access-list 101 deny ip any

Another very popular one, internal loopback. Yes, this should never show up as a source IP on our outside interfaces.

access-list 101 deny ip any

How about the Automatic Private IP Addressing used in Microsoft environments? Yes, this certainly represents another important entry:

access-list 101 deny ip

With these examples in mind, you can see how your filters can get quite lengthy and complex. Also, it is very important to keep in mind that the list of “bogons” is constantly changing as the address space changes. Be sure to check the latest RFCs for the complete list of external source addresses that would be unacceptable at your interfaces.

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv

Preventing Basic DDoS Attacks – Part 2 of 5, 2.8 out of 5 based on 9 ratings
Be Sociable, Share!

    Tags: CCIE Security, CCIE Security 3.0, ccie security training, DDoS, ddos attack

    3 Responses to “Preventing Basic DDoS Attacks – Part 2 of 5”

    1. uri says:

      Hi there!

      JFYI: RFC 3330 has been obsoloted by RFC 5735 which has BCP status these days.

      VA:F [1.9.22_1171]
      Rating: 5.0/5 (1 vote cast)
    2. Karsten says:

      RFC 3330 is obsolet and was replaced by RFC 5735:
      There were some new networks for documentation introduced.

      Additionally you could deny Network 0/8, Multicast-, Broadcast- and “Class D”-Sources.

      VA:F [1.9.22_1171]
      Rating: 5.0/5 (1 vote cast)
    3. Ajaz Nawaz says:

      isn’t the job of Unicast Reverse Path to fix this problem ?

      VA:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)

    Leave a Reply