On Wed, Nov 10, 1999 at 12:01:54PM -0500, Kai Schlichting wrote:
At 11:50 AM 11/10/99 -0500, Richard A Steenbergen <ras@above.net> wrote:
I might almost be happy, except this breaks the oh-so-nice filter of 64.0.0.0/2 at borders (effectively reduces random src spoofed attacks by 25%, and covers 127.0.0.0/8 as well). Go ARIN. </sarcasm>
One line becomes two in your ACL ? ip permit 64.0.0.0/8 ip deny 64.0.0.0/2
The CPU loss for one more ACL line is probably offsetting the gains of spoofed traffic pretty well. That will even scale for a little while, at least for /9 and /10 in the permit line, before you seriously have to think about how much still-unallocated space you will gratutiously allow through your ACL.
Reality is its not that simple. If you are doing any other filters that might catch on 64.0.0.0/8, you'll need to drop those lines down to the end. Besides the obvious goal of cutting spoofed traffic, one of the primary uses of this kind of filter (for myself at any rate) is to save CPU when dealing with small packet high packet/sec random src attacks. Its not the end of the world, but its annoying and does not help matters any. *grumble* -- Richard A Steenbergen <ras@above.net> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) AboveNet Communications - AboveSecure Network Security Engineer, Vienna VA