high volume from outside our networks question

rich carroll richcarroll at gmail.com
Fri Feb 1 15:26:56 UTC 2013


The spoofed ip's are coming from the outside world as real legitimate IP's.
They are not coming internally and then heading outwards. We have to allow
port 53 traffic from the internet because we publish a dozen domains or so,
and also cache for our customers. The question is why does the server
respond at all to any external request for a domain that we do not publish.
We would still have the problem if they did a request for one of our
domains, but at least they would lose the amplifying affect of using a
small packet to send  a larger one at their target.

On Fri, Feb 1, 2013 at 3:33 AM, Steven Carr <sjcarr at gmail.com> wrote:

> You should be complying with BCP 38 [http://tools.ietf.org/html/bcp38]
> for Inbound Network Filtering which will reduce a lot of unwanted
> packets getting into your network.
>
> Our inbound (Cisco) ACL looks like the following and I check up on the
> bogon addresses
> [http://www.team-cymru.org/Services/Bogons/bogon-dd.html] regularly to
> see if they need to be updated:
>
>  ! filter out the crud
>  ! deny own ip
>  deny ip 213.120.108.211 0.0.0.0 any
>  ! deny bogon addresses
>  deny ip 0.0.0.0 0.255.255.255 any
>  deny ip 100.64.0.0 0.63.255.255 any
>  deny ip 127.0.0.0 0.255.255.255 any
>  deny ip 169.254.0.0 0.0.255.255 any
>  deny ip 192.0.0.0 0.0.0.255 any
>  deny ip 192.0.2.0 0.0.0.255 any
>  deny ip 198.18.0.0 0.1.255.255 any
>  deny ip 198.51.100.0 0.0.0.255 any
>  deny ip 203.0.113.0 0.0.0.255 any
>  deny ip 224.0.0.0 31.255.255.255 any
>  ! deny broadcast
>  deny ip host 255.255.255.255 any
>  deny ip host 0.0.0.0 any
>  ! deny non-routables
>  deny ip 10.0.0.0 0.255.255.255 any
>  deny ip 172.16.0.0 0.15.255.255 any
>  deny ip 192.168.0.0 0.0.255.255 any
>  !
>
> Steve
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
Richard Carroll
richcarroll at gmail.com
785-288-1144
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130201/dededc7f/attachment.html>


More information about the bind-users mailing list