Block RFC-1918 Spoofed Traffic
A general rule of thumb in a service provider network is to block RFC-1918(private addressing) address space. You want to block this incoming from your upstream providers also, but generally filtering it in your network is a good idea. You will also want to block any traffic coming from your provider sourced from your address space…why would you be sending yourself traffic from outside of your network with your own network addressing?
First create the address-list that contains the RFC-1918 address space as well as the multicast range.
1 2 3 4 5 6
/ip firewall address-list add address=192.168.0.0/16 comment="" disabled=no list=rfc-1918 add address=172.16.0.0/12 comment="" disabled=no list=rfc-1918 add address=10.0.0.0/8 comment="" disabled=no list=rfc-1918 add address=0.0.0.0/8 comment="" disabled=no list=rfc-1918 add address=18.104.22.168/3 comment="" disabled=no list=rfc-1918
Next create address-lists that contain the private addressing you might be using inside your network that is valid.
/ip firewall address-list add address=10.0.0.0/24 comment="" disabled=no list=local-subnets
We then create two firewall rules. One that allows our defined local-subnets and the next that blocks the rest of rfc-1918 and multicast.
1 2 3 4 5 6 7
/ip firewall filter add action=accept chain=forward comment=\ "accept traffic from our local subnets" disabled=no src-address-list=\ local-subnets add action=drop chain=forward comment=\ "block anything sourced from RFC-1918 and multicast." disabled=no \ src-address-list=rfc-1918
If you are curious about who is sending what where, duplicate the drop rule, but change the action to log. This will provide you with entrance/exit interface, MAC address and source/destination IP of the packets. You can then lookup their MAC address and trace them down.
*NOTE* Exercise caution when logging. If this is a high packet count spoofed attack, you may kill your router’s CPU.