A Cisco router that sits between a private network and the public Internet should always block packets from certain source IP addresses. As specified in RFC 1918, certain IP address ranges have been reserved for private networks. These address ranges can not be routed from the Internet, and should be blocked from entering an internal private network.
! Sample anti-spoofing Cisco configuration ! Block Private Address Space access-list 100 deny ip 10.0.0.0 0.255.255.255 any log access-list 100 deny ip 172.16.0.0 0.15.255.255 any log access-list 100 deny ip 192.168.0.0 0.0.255.255 any log ! Block Autoconfiguration Space access-list 100 deny ip 169.254.0.0 0.0.255.255 any log ! Block Loopback Space access-list 100 deny ip 127.0.0.0 0.0.255.255 any log ! Block Multicast access-list 100 deny ip 224.0.0.0 15.255.255.255 any log ! Allow All Other Traffic access-list 100 permit ip any any ! ! Add the following to the external interface ! Ex. interface fastethernet0/0 ip access-group 100 in |
The following are the three designated private address ranges:
10.0.0.0 - 10.255.255.255 netmask 255.0.0.0 (10.x.x.x/8) 172.16.0.0 - 172.31.255.255 netmask 255.128.0.0 (172.16.x.x/12) 192.168.0.0 - 192.168.255.255 netmask 255.255.0.0 (192.168.x.x/16)
The following range is reserved for autoconfiguration:
169.254.0.0 - 169.254.255.255 netmask 255.255.0.0 (169.254.x.x/16)Autoconfiguration kicks in on certain Macintosh and IBM PCs running recent operating systems. If a host is not assigned a hardcoded IP address and cannot acquire one via DHCP, it will generate a random IP address between 169.254.0.1 and 169.254.255.254.
Another range to consider is the loopback range:
127.0.0.0 - 127.255.255.255 netmask 255.0.0.0 (127.x.x.x/8)A host uses a loopback address to refer to itself. The most commonly used loopback address is 127.0.0.1, but any address within the entire range is valid as a self-referencing address.
The following range is used exclusively for multicasting:
224.0.0.0 - 239.255.255.255Multicast addresses are used to send traffic from one host to several hosts within a private network. These broadcast packets should also be blocked from the outside.