When examining inbound traffic at your Internet edge, there are quite a few source networks that should be automatically discarded. RFC 3330 (Special-Use IPv4 Addresses) specifies many of these.
Local Networks
In most sane networks, you should never see inbound traffic from your own address space. Thus, if you have 12.3.45.0/24 as your public address space, your inbound ACL should block traffic appearing to be sourced from this network.
RFC 1918
10.0.0.0 /8
172.16.0.0 /12
192.168.0.0 /16
An easy way to remember the CIDR value for these (found on GroupStudy): each is 4 greater than the last.
Local-only Networks
0.0.0.0 /8
127.0.0.0 /8 – note: not just 127.0.0.1!
169.254.0.0 /16
These are (respectively) the “this network” range, the localhost address space, and the Microsoft AutoNet network (also called APIPA, for Automated Private IP Addressing).
Reserved Networks
192.0.2.0 /24 – TEST-NET, e.g. example.com
198.18.0.0 /15 – Benchmark networks
240.0.0.0 /4 – Class E
Multicast
224.0.0.0 /4
The multicast address space will never appear as a source address in legitimate traffic. A multicast IP is always a destination.
Unassigned Address Space
Many experts recommend filtering all unallocated address space (networks that have not been assigned to users or ISPs by the various numbering authorities, such as ARIN or APNIC). This requires diligence on the part of network administrators to track new address allocations and keep ACLs up-to-date, to avoid blackholing legitimate traffic from newly-assigned networks. For more information, see the Bogon Reference at Cymru.
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.