True. I see numerous strays also tho myself. I try to drop this as close to the edge as possible in some cases, but as you can see here: deny ip host 0.0.0.0 any log-input (4322 matches) deny ip 10.0.0.0 0.255.255.255 any log-input (625 matches) deny ip 169.254.0.0 0.0.255.255 any log-input (887 matches) deny ip 192.168.0.0 0.0.255.255 any log-input (11401 matches) I get a few matches, it would appear that folks like the 192.168 the most, and the 172.16 the least (I have zero matches on this box). Something dumb appears to be sending dhcp/bootp (0.0.0.0) (I've got a hub at home that keeps doing that, i've not been able to console into it yet) My recommendation is to ignore it in the core, but start to drop it once it hits your edges where you tend to have lower speed links that can take filters. u-rpf checks are nice also, it would be nice to see more folks doing it, but that's life in this world. If you could get everyone at the exchange points to filter, that would be nice, but the fact of the matter is most traffic goes across the private interconnects, which contiue to grow in size, and it's not possible or is service degrading to filter such links. On Thu, Apr 22, 1999 at 03:42:14PM -0700, Gary E. Miller wrote:
Yo Randy!
On Thu, 22 Apr 1999, Randy Bush wrote:
deny ip 10.0.0.0 0.255.255.255 any (593 matches) deny ip 172.16.0.0 0.15.255.255 any (201 matches) deny ip 192.168.0.0 0.0.255.255 any (769 matches)
[...]
anyone have clues other than net slime and misconfigured nats?
The net-slime would be the folks that sent a src address at you of your network (whcih I saw in your acl match).
If you did a traceroute thru a router using a private address on one of it's interfaces you could see this. That would be legit.
RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.