IP addresses that should be prohibited to prevent ip spoofing

IP addresses that should be prohibited to prevent ip spoofing

by Cyrus Lok on Saturday, March 13, 2010 at 10:39pm
1. 0.0.0.0/8
deny 0.0.0.0 0.255.255.255 log
deny ip 0.0.0.0 0.255.255.255 any log
(cannot be used for IPv4 addressing assignment)

2. 10.0.0.0/8
deny 10.0.0.0 0.255.255.255 log
deny ip 10.0.0.0 0.255.255.255 any log
(Class A private range)

3. 127.0.0.0/8
deny 127.0.0.0 0.255.255.255 log
deny ip 127.0.0.0 0.255.255.255 any log
(loopback range for diagnostic purposes)

4. 172.16.0.0/12
deny 172.16.0.0 0.15.255.255 log
deny ip 172.16.0.0 0.15.255.255 any log
(Class B private range)

5. 192.168.0.0/16
deny 192.168.0.0 0.0.255.255 log
deny ip 192.168.0.0 0.0.255.255 any log
(Class C private range)

6. 224.0.0.0/4
deny 224.0.0.0 15.255.255.255 log
deny ip 224.0.0.0 15.255.255.255 any log
(multicast range)

7. 240.0.0.0/4
deny 240.0.0.0 15.255.255.255 log
deny ip 240.0.0.0 15.255.255.255 any log
(Class E range)

8. 169.254.0.0/16
deny 169.254.0.0 0.0.255.255 log
deny ip 169.254.0.0 0.0.255.255 any log
(Link-local address range, this ip address range will only be used when there’s no ip assigned to the
host)

9. 255.255.255.255/32
deny host 255.255.255.255 log
deny ip host 255.255.255.255 any log
(broadcast address which you might want to block to prevent ip spoofing using broadcast address)

There’s an implicit deny for all ACL so if you want to allow traffic that’s initiated by user within the inside network to be returned, you have to place this statement at the end of your extended ACL, standard ACL has no keyword – Established.

Extended ACL at the end of the entry:
permit ip any any established

Apply the ACL to the outside interface of your router as INBOUND.

Private range, RFC1918:
http://tools.ietf.org/html/rfc1918

Advertisements
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s