Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AntiSpoofing access-list for Router

I need to put AntiSpoofing access-list on my boarder router.

Can some one give me some examples?\

Thanks

4 REPLIES

Re: AntiSpoofing access-list for Router

RFC 2267 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing January 1998, http://www.landfield.com/ftp/rfc/rfc2267.txt , provides general guidelines on Ingress and Egress filtering.

No one from the general Internet should be sending you packets with a source address from your own network. By filtering packets on your routers that connect your network to the Internet, you can permit only packets with valid source IP addresses to leave your network and get into the Internet. For example, if your internal network is 200.200.200.0/24, put an acl that only allows outbound packets with a source of 200.200.200.0/24 (or if your using NAT, only those IPs). And your inbound acl shouldn't allow packets with a source IP of your internal network.

A simple outbound example (not including filtering by port):

access-list 110 permit ip 200.200.200.0 0.0.0.255 any

access-list 110 deny ip any any log

!

interface serial 0/1

description connection to internet

ip access-group 110 out

An sample inbound example can be seen at: http://www.rpatrick.com/tech/acl/ .

Key is to deny source packets with an IP of your network and also to only open the ports that are required.

eg.

access-list 180 deny ip host 0.0.0.0 any log

access-list 180 deny ip 0.0.0.0 1.255.255.255 any log

access-list 180 deny ip 10.0.0.0 0.255.255.255 any log

access-list 180 deny ip 172.16.0.0 0.15.255.255 any log

access-list 180 deny ip 192.168.0.0 0.0.255.255 any log

access-list 180 deny ip 224.0.0.0 31.255.255.255 any log

access-list 180 deny ip 200.200.200.0 0.0.0.255 any log (your network)

access-list 180 permit tcp .....

Hope it helps.

Steve

New Member

Re: AntiSpoofing access-list for Router

A Reflexive ACL can helps you, it depends your aplication.

I hope that helps.

mc

Silver

Re: AntiSpoofing access-list for Router

I also recommend adding 127.0.0.0/0.255.255.255 to the excellent example provided by mr. barlow.

The point of the ACL is to deny all traffic which can never be valid to enter the Internet facing interface. This includes all traffic sourced from Private IPs, your own IPs, loopbacks, etc.

New Member

Re: AntiSpoofing access-list for Router

What about

ip route 10.0.0.0 255.0.0.0 Null0

ip route 127.0.0.0 255.0.0.0 Null0

ip route 172.16.0.0 255.240.0.0 Null0

ip route 192.168.0.0 255.255.0.0 Null0

I agree that "access-list" gives you the option of logging, but what do you think will be the pros and cons here?

Kind regards

2228
Views
4
Helpful
4
Replies
CreatePlease login to create content