As a final update to this thread, we started blocking spoofed and invalid traffic as of early Thursday morning Nov 19th. So far, knock on wood, no reports of issues from our customer base. In addition, I've been able to verify with the security research team's test tool that we are no longer responding to the spoofed DNS requests. The ACL was implemented as follows: Ingress * Deny to and from bogon networks, where bogon is either source or dest * Deny invalid TCP and UDP ports (currently only port 0) [log] * Permit to and from transit / peer / IX connected subnets * For IPv6, also permit link-local IPs (fe80::/10) * Deny to and from multicast ranges 224.0.0.0/4 and ff00::/8 * Permit ICMP / traceroute over UDP to infrastructure * Deny all other traffic to infrastructure [log] * Permit from customer PI / PA space * Deny from originated aggregate space [log] * Permit all traffic to customer PI / PA space * Permit all traffic to aggregate space * Deny any any [log] Egress * Deny to and from bogon networks * Deny invalid ports [log] * Permit to and from transit / peer / IX connected subnets * For IPv6, also permit link-local IPs * Deny to and from multicast range * Permit all traffic from any source to customer PI / PA space * Permit all traffic from customer PI / PA space * Permit all traffic from aggregate space * Deny any any [log] Below I've included the specific $VENDOR_C config I implemented for the filtering, sans specifics on our IP blocks. I hope folks find this useful as a guide to their own efforts, and constructive criticism is always welcome. Future work includes: * Tightening the rules permitting access to/from the transit / peer / IX connected subnets, while keeping the ACL general enough for use on all Internet-facing interfaces * Automation of updates to aggregate and customer IP blocks (looking at using the irrpt project for this) Once more, to those who provided valuable input, thank you very much indeed! -Brian !------------- ! Static ACLs for Service Provider BCP 84 Compliance ! IOS XR config ! IPv4 object-group network ipv4 IPV4-BOGON description Invalid IPV4 networks 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 exit object-group network ipv4 IPV4-TRAN-WAN description Transit WAN PtP subnets [Point to point /30's go here] exit object-group network ipv4 IPV4-IX description IX subnets [IX /24 and /23 subnets here] exit object-group network ipv4 IPV4-PEER-WAN description Direct peer WAN PtP subnets [Direct peer WAN IPs go here] exit object-group network ipv4 IPV4-BGP-AGG description ARIN IPV4 Aggregate Blocks [Aggregated IP blocks go here] exit object-group network ipv4 IPV4-INFRA description Infrastructure subnets to be protected [List of loopback blocks and backbone / core PtP /30's here] exit object-group network ipv4 IPV4-BACKDOOR-HOSTS description Hosts observed to be sending valid traffic via Internet [One-off hosts, active TCP or UDP traffic was observed during data collection] exit object-group network ipv4 IPV4-CUST [full list of all customer IP blocks] [Includes customer PI blocks, disaggregated PA from other providers,] [and PA assigned from your aggregate space] exit object-group port TCPUDP-BLOCKED eq 0 [additional ports to be generally blocked, list here] exit ipv4 access-list IPV4-INET-IN 10 remark BCP 84 for transits, IX, and peering 101 remark *** Block bogon networks as src or dest *** 110 deny ipv4 net-group IPV4-BOGON any 111 deny ipv4 any net-group IPV4-BOGON 201 remark *** Blocked protocols *** 210 deny udp any port-group TCPUDP-BLOCKED any log 211 deny udp any any port-group TCPUDP-BLOCKED log 212 deny tcp any port-group TCPUDP-BLOCKED any log 213 deny tcp any any port-group TCPUDP-BLOCKED log 301 remark *** Transit, IX, peer connected networks *** 310 permit ipv4 net-group IPV4-PEER-WAN any 311 permit ipv4 any net-group IPV4-PEER-WAN 312 permit ipv4 net-group IPV4-TRAN-WAN any 313 permit ipv4 any net-group IPV4-TRAN-WAN 314 permit ipv4 net-group IPV4-IX any 315 permit ipv4 any net-group IPV4-IX 401 remark *** Block multicast *** 410 deny ipv4 224.0.0.0/4 any 411 deny ipv4 any 224.0.0.0/4 501 remark *** Protect infrastructure subnets *** 510 deny icmp any net-group IPV4-INFRA fragments log 511 permit icmp any net-group IPV4-INFRA 512 permit udp any range 1024 65535 net-group IPV4-INFRA range 33435 33535 513 permit udp any range 33435 33535 net-group IPV4-INFRA range 1024 65535 515 deny ipv4 any net-group IPV4-INFRA 601 remark *** Customer Inet BGP Announced Prefixes *** 620 permit ipv4 net-group IPV4-CUST any 640 permit ipv4 net-group IPV4-BACKDOOR-HOSTS any 701 remark *** Block originated networks *** 710 deny ipv4 net-group IPV4-BGP-AGG any log 801 remark *** Permit traffic only to networks we announce *** 820 permit ipv4 any net-group IPV4-BGP-AGG 840 permit ipv4 any net-group IPV4-CUST 901 remark *** Deny all other traffic *** 910 deny ipv4 any any log exit ipv4 access-list IPV4-INET-OUT 10 remark BCP 84 for transits, IX, and peering 101 remark *** Block bogon networks as src or dest *** 110 deny ipv4 net-group IPV4-BOGON any 111 deny ipv4 any net-group IPV4-BOGON 201 remark *** Blocked protocols *** 210 deny udp any port-group TCPUDP-BLOCKED any log 211 deny udp any any port-group TCPUDP-BLOCKED log 212 deny tcp any port-group TCPUDP-BLOCKED any log 213 deny tcp any any port-group TCPUDP-BLOCKED log 301 remark *** Transit, IX, peer networks *** 310 permit ipv4 net-group IPV4-PEER-WAN any 311 permit ipv4 any net-group IPV4-PEER-WAN 312 permit ipv4 net-group IPV4-TRAN-WAN any 313 permit ipv4 any net-group IPV4-TRAN-WAN 314 permit ipv4 net-group IPV4-IX any 315 permit ipv4 any net-group IPV4-IX 401 remark *** Block multicast *** 410 deny ipv4 224.0.0.0/4 any 411 deny ipv4 any 224.0.0.0/4 601 remark *** Customer Inet BGP Announced Prefixes *** 620 permit ipv4 any net-group IPV4-CUST 640 permit ipv4 any net-group IPV4-BACKDOOR-HOSTS 801 remark *** Permit locally sourced traffic *** 820 permit ipv4 net-group IPV4-BGP-AGG any 840 permit ipv4 net-group IPV4-CUST any 901 remark *** Deny all other traffic *** 910 deny ipv4 any any log exit ! IPv6 object-group network ipv6 IPV6-BOGON description Invalid IPV6 networks ::/3 2001::/23 2001:2::/48 2001:10::/28 2001:db8::/32 2002::/16 3ffe::/16 4000::/3 6000::/3 8000::/3 a000::/3 c000::/3 e000::/4 f000::/5 f800::/6 fc00::/7 fe00::/9 fec0::/10 exit object-group network ipv6 IPV6-TRAN-WAN description Transit WAN PtP subnets [Point to point /126's go here] exit object-group network ipv6 IPV6-IX description IX subnets [IX /64 subnets here] exit object-group network ipv6 IPV6-PEER-WAN description Direct peer WAN PtP subnets [Direct peer WAN /126's go here] exit object-group network ipv6 IPV6-BGP-AGG description ARIN IPV6 Aggregate Blocks [Aggregated IP blocks go here] exit object-group network ipv6 IPV6-INFRA description Infrastructure subnets to be protected [List of loopback blocks and backbone / core PtP WAN IPs here] exit object-group network ipv6 IPV6-CUST [full list of all customer IP blocks] [Includes customer PI blocks, disaggregated PA from other providers,] [and PA assigned from your aggregate space] exit ipv6 access-list IPV6-INET-IN 10 remark BCP 84 for transits, IX, and peering 101 remark *** Block bogon networks as src or dest *** 110 deny ipv6 net-group IPV6-BOGON any 111 deny ipv6 any net-group IPV6-BOGON 201 remark *** Blocked protocols *** 210 deny udp any port-group TCPUDP-BLOCKED any log 211 deny udp any any port-group TCPUDP-BLOCKED log 212 deny tcp any port-group TCPUDP-BLOCKED any log 213 deny tcp any any port-group TCPUDP-BLOCKED log 301 remark *** Transit, IX, peer connected networks *** 310 permit ipv6 fe80::/10 any 311 permit ipv6 net-group IPV6-PEER-WAN any 312 permit ipv6 any net-group IPV6-PEER-WAN 313 permit ipv6 net-group IPV6-TRAN-WAN any 314 permit ipv6 any net-group IPV6-TRAN-WAN 315 permit ipv6 net-group IPV6-IX any 316 permit ipv6 any net-group IPV6-IX 401 remark *** Block multicast *** 410 deny ipv6 ff00::/8 any 411 deny ipv6 any ff00::/8 501 remark *** Protect infrastructure subnets *** 510 deny icmp any net-group IPV6-INFRA fragments log 511 permit icmp any net-group IPV6-INFRA 512 permit udp any range 1024 65535 net-group IPV6-INFRA range 33435 33535 513 permit udp any range 33435 33535 net-group IPV6-INFRA range 1024 65535 515 deny ipv6 any net-group IPV6-INFRA 601 remark *** Customer Inet BGP Announced Prefixes *** 620 permit ipv6 net-group IPV6-CUST any 701 remark *** Block networks we originate *** 710 deny ipv6 net-group IPV6-BGP-AGG any log 801 remark *** Permit traffic only to networks we announce *** 820 permit ipv6 any net-group IPV6-BGP-AGG 840 permit ipv6 any net-group IPV6-CUST 901 remark *** Deny all other traffic *** 910 deny ipv6 any any log exit ipv6 access-list IPV6-INET-OUT 10 remark BCP 84 for transits, IX, and peering 101 remark *** Block bogon networks as src or dest *** 110 deny ipv6 net-group IPV6-BOGON any 111 deny ipv6 any net-group IPV6-BOGON 201 remark *** Blocked protocols *** 210 deny udp any port-group TCPUDP-BLOCKED any log 211 deny udp any any port-group TCPUDP-BLOCKED log 212 deny tcp any port-group TCPUDP-BLOCKED any log 213 deny tcp any any port-group TCPUDP-BLOCKED log 301 remark *** Transit, IX, peer networks *** 310 permit ipv6 fe80::/10 any 311 permit ipv6 net-group IPV6-PEER-WAN any 312 permit ipv6 any net-group IPV6-PEER-WAN 313 permit ipv6 net-group IPV6-TRAN-WAN any 314 permit ipv6 any net-group IPV6-TRAN-WAN 315 permit ipv6 net-group IPV6-IX any 316 permit ipv6 any net-group IPV6-IX 401 remark *** Block multicast *** 410 deny ipv6 ff00::/8 any 411 deny ipv6 any ff00::/8 601 remark *** Customer Inet BGP Announced Prefixes *** 620 permit ipv6 any net-group IPV6-CUST 801 remark *** Permit locally sourced traffic *** 820 permit ipv6 net-group IPV6-BGP-AGG any 840 permit ipv6 net-group IPV6-CUST any 901 remark *** Deny all other traffic *** 910 deny ipv6 any any log exit ! On any transit, IX, or peer port ! interface TenGigE0/0/0/0 ipv4 access-group IPV4-INET-IN ingress ipv4 access-group IPV4-INET-OUT egress ipv6 access-group IPV6-INET-IN ingress ipv6 access-group IPV6-INET-OUT egress