[Dshield] These kind of attcks from 127.0.0.1 seems to be a R EALATTCK

Ruigrok, Jeroen jeroen_ruigrok at epson-europe.com
Fri Feb 20 12:32:12 GMT 2004


> Anybdoy got a clue what exaclty this could be ? For now we 
> blocked the stuff on our routers not to route loopback ips.

You mean you normally *do* route 127/8?  That's in direct violation
of RFC 1700, and emphasised in RFC 3300 again.

I so wish people would just follow the Manning draft (or whatever
it is called today) as well and apply those networks plus anti-spoofing
at *every* gateway.

But then again, wishful thinking, back in the days when I did
BGP on the AMSIX we saw our share of /32 being advertised.
And people wonder why the Internet is such a messy place at times.

For those who do not know, manning draft:

deny all from any to 127.0.0.0/8
deny all from any to 0.0.0.0/8 via ${oif}
deny all from any to 169.254.0.0/16 via ${oif}
deny all from any to 192.0.2.0/24 via ${oif}
deny all from any to 224.0.0.0/4 via ${oif}
deny all from any to 240.0.0.0/4 via ${oif}

oif = outside interface.

Of course, also make sure these addresses don't get send out beyond
your border router/egress filter.

Mmm, seems I need to add 192.0.2.0/24 as well.

-- 
Jeroen Ruigrok van der Werven <jeroen_ruigrok at epson-europe.com>
Tel: +31-(0)30-6928727 




More information about the list mailing list