Date: Tue, 09 Oct 2001 07:58:19 -0700 From: Grant A. Kirkwood <grant@virtical.net>
I'm currently in the process of setting up a new border router, and the recent debate on the above topic got me wondering what the best practice filtering policy is? Is there one?
And what do people put in place in terms of anti-spoofing ACLs and such? There's a wealth of information on these topics, but no real consensus.
+ If you're running BGP, filter your as-paths and netblocks to avoid any unwanted redistribution. This is always a bad thing, and long as-paths don't necessarily rule out a path being taken; remember that local-pref overrides as-path length. If it's an edge router, you needn't worry too much about prefix length -- they're already filtered for you. + You want to prevent forged outbound packets. They have no valid[1] use, and forged packets make tracing DoS attacks a pain. [1] I recall hearing that some satellite downlink Web service required the ability to send packets from their netblock. However, you can selectively allow these, as you would you own netblock. + Disallow 10/8, 172.16/12, and 192.168/16 -- no need for them to go anywhere. Eddy --------------------------------------------------------------------------- Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence --------------------------------------------------------------------------- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.