Skip to content
May 23 / Greg

Block RFC-1918 Spoofed Traffic

A general rule of thumb in a service provider network is to block RFC-1918(private addressing) address space. You want to block this incoming from your upstream providers also, but generally filtering it in your network is a good idea. You will also want to block any traffic coming from your provider sourced from your address space…why would you be sending yourself traffic from outside of your network with your own network addressing?

First create the address-list that contains the RFC-1918 address space as well as the multicast range.

1
2
3
4
5
6

/ip firewall address-list
add address=192.168.0.0/16 comment="" disabled=no list=rfc-1918
add address=172.16.0.0/12 comment="" disabled=no list=rfc-1918
add address=10.0.0.0/8 comment="" disabled=no list=rfc-1918
add address=0.0.0.0/8 comment="" disabled=no list=rfc-1918
add address=224.0.0.0/3 comment="" disabled=no list=rfc-1918

Next create address-lists that contain the private addressing you might be using inside your network that is valid.

1
2

/ip firewall address-list
add address=10.0.0.0/24 comment="" disabled=no list=local-subnets

We then create two firewall rules. One that allows our defined local-subnets and the next that blocks the rest of rfc-1918 and multicast.

1
2
3
4
5
6
7

/ip firewall filter
add action=accept chain=forward comment=\
    "accept traffic from our local subnets" disabled=no src-address-list=\
    local-subnets
add action=drop chain=forward comment=\
    "block anything sourced from RFC-1918 and multicast." disabled=no \
    src-address-list=rfc-1918

If you are curious about who is sending what where, duplicate the drop rule, but change the action to log. This will provide you with entrance/exit interface, MAC address and source/destination IP of the packets. You can then lookup their MAC address and trace them down.

*NOTE* Exercise caution when logging. If this is a high packet count spoofed attack, you may kill your router’s CPU.

Filed under Cisco, Mikrotik, Networking, Security

4 Comments

leave a comment
  1. mocha / May 31 2011

    Maybe it is good idea to give additional condition for firewall filter. “input interface=” for own local sub nets

  2. Greg / May 31 2011

    @mocha
    You can do that also, but you will have to duplicate the firewall rules multiple times.

  3. P Dickey / May 31 2011

    Nitpicky, but please don’t comment non-RFC 1918 addresses with RFC 1918 .
    0.0.0.0/8 is RFC 1700 and 224.0.0.0/4 (NOT /3) is RFC 3171. There are others that should be blocked as well to be complete (e.g. RFC 5735, RFC 2544, etc.)

  4. Greg / May 31 2011

    @P
    You are right sir. I should have named them “block” and then just commented what they are.

Leave a Comment

 

CAPTCHA

*