I am just wondering why Cisco recommendations are to apply the filterations stated in RFCs 2827 & 1918 in the border and ISP routers while as the range called to be filtered in RFC 2827 is originally not routable elsewhere, and the addresses which need to be filtered in RFC 1918 are not routable in the internet!
I understand that both RFCs are calling for such filtering to prevent against DoS and access using private IP addresses, but I am just wondering if I didn't apply this filtering, how would an attacker be able to access my network using a private IP address (as it is a non-routable IP)! Also, how would my network be a source for DoS using a spoofed IP, as RFC 2827 advises, while as there is no way to use an IP from a different range other than the one allocated to my network from the ISP because again it will be non-routable by the ISP!
The fact that some addresses are non-routable has to be enforced somewhere. Routers cannot enforce this by default because they are as likely to be used in intranets where the use of such non-routable addresses is completely legal. For more on the mechanics of DoS, see:
You are right in saying that the private address ranges are non-routable. But they are non-routable only when the traffic is routed back to the source.
So if i spoof a packet with a private IP source address eg 192.168.1.1 to your company firewall it will arrive at your firewall as it is routed to the public address of your firewall. But it can't be routed back.
But for a lot of attacks it does not need to be routed back. For example the snmp set command. This is based on UDP. If an attacker managed to guess or obtain your snmp password and your router had rw for snmp he could send an snmp command telling the router to shut down. He doesn't care about the response.
TCP connections are different. They need to be setup with a 3 way handsahake which is a lot harder to spoof. But again the attacker might not be interested in this. He might be interested in just send as many SYN packets to a server as he can. Servers only have a finite number of half open connections. The server will respond to the SYN with a SYN/ACK but obviously it never gets there as it non-routable. But the server has to keep the connection half open for a certain amount of time before it can close it. Send enough of them and the server runs out of "slots". Most modern OS's and firewalls make attempts to address this problem but it is very difficult to do without denying legitimate connections.
All of the above applies to RFC 2827 addressing as well except your machines become the attacker instead.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...