To block UDP port 19 you can add something like: deny udp any eq 19 any deny udp any any eq 19 This will prevent the DDoS attack traffic entering your network (source port 19) as well as the hosts scanning around looking for hosts on your network that can be used in amplification attacks (destination port 19). Please note that this will not block the UDP fragments that come with these attacks which have no L4 port to block. You can possibly do policing on UDP fragments to address this. I¹d also suggest adding: deny udp any eq 17 any deny udp any any eq 17 deny udp any eq 123 any packet-length eq 468 deny udp any eq 520 any deny udp any any eq 520 deny udp any eq 1900 any deny udp any any eq 1900 Some people will complain that you shouldn¹t block UDP port 1900 because it¹s above 1023 but believe me it¹s worth it. also to block invalid source IPs to prevent some spoofed traffic from coming into your network: deny ipv4 0.0.0.0 0.255.255.255 any deny ipv4 10.0.0.0 0.255.255.255 any deny ipv4 11.0.0.0 0.255.255.255 any deny ipv4 22.0.0.0 0.255.255.255 any deny ipv4 30.0.0.0 0.255.255.255 any deny ipv4 100.64.0.0 0.63.255.255 any deny ipv4 127.0.0.0 0.255.255.255 any deny ipv4 169.254.0.0 0.0.255.255 any deny ipv4 172.16.0.0 0.15.255.255 any deny ipv4 192.0.0.0 0.0.0.255 any deny ipv4 192.0.2.0 0.0.0.255 any deny ipv4 192.168.0.0 0.0.255.255 any deny ipv4 198.18.0.0 0.1.255.255 any deny ipv4 198.51.0.0 0.0.0.255 any deny ipv4 203.0.113.0 0.0.0.255 any deny ipv4 224.0.0.0 31.255.255.255 any For BCP38 and 84 you would want to enable uRPF https://en.wikipedia.org/wiki/Reverse_path_forwarding https://tools.ietf.org/html/rfc3704 Rich Compton | Principal Eng | 314.596.2828 14810 Grasslands Dr, Englewood, CO 80112 On 5/26/17, 11:39 AM, "NANOG on behalf of Graham Johnston" <nanog-bounces@nanog.org on behalf of johnstong@westmancom.com> wrote:
I really did try looking before I sent the email but couldn't quickly find what I was looking for.
I am looking for information regarding standard ACLs that operators may be using at the internet edge of their network, on peering and transit connections, wherein you are filtering ingress packets such as those sourced from UDP port 19 for instance. I've found incomplete conceptual discussions about it nothing that seemed concrete or complete.
This doesn't seem quite like it is BCP38 and more like this is BCP84, but it only talks about use of ACLs in section 2.1 without providing any examples. Given that it is also 13 years old I thought there might be fresher information out there.
Thanks, graham
E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.