Block RFC-1918 Spoofed Traffic
A general rule of thumb in a service provider network is to block RFC-1918(private addressing) address space. You want to block this incoming from your upstream providers also, but generally filtering it in your network is a good idea. You will also want to block any traffic coming from your provider sourced from your address space…why would you be sending yourself traffic from outside of your network with your own network addressing?
First create the address-list that contains the RFC-1918 address space as well as the multicast range.
1 2 3 4 5 6 | /ip firewall address-list add address=192.168.0.0/16 comment="" disabled=no list=rfc-1918 add address=172.16.0.0/12 comment="" disabled=no list=rfc-1918 add address=10.0.0.0/8 comment="" disabled=no list=rfc-1918 add address=0.0.0.0/8 comment="" disabled=no list=rfc-1918 add address=224.0.0.0/3 comment="" disabled=no list=rfc-1918 |
Next create address-lists that contain the private addressing you might be using inside your network that is valid.
1 2 | /ip firewall address-list add address=10.0.0.0/24 comment="" disabled=no list=local-subnets |
We then create two firewall rules. One that allows our defined local-subnets and the next that blocks the rest of rfc-1918 and multicast.
1 2 3 4 5 6 7 | /ip firewall filter add action=accept chain=forward comment=\ "accept traffic from our local subnets" disabled=no src-address-list=\ local-subnets add action=drop chain=forward comment=\ "block anything sourced from RFC-1918 and multicast." disabled=no \ src-address-list=rfc-1918 |
If you are curious about who is sending what where, duplicate the drop rule, but change the action to log. This will provide you with entrance/exit interface, MAC address and source/destination IP of the packets. You can then lookup their MAC address and trace them down.
*NOTE* Exercise caution when logging. If this is a high packet count spoofed attack, you may kill your router’s CPU.
Maybe it is good idea to give additional condition for firewall filter. “input interface=” for own local sub nets
@mocha
You can do that also, but you will have to duplicate the firewall rules multiple times.
Nitpicky, but please don’t comment non-RFC 1918 addresses with RFC 1918 .
0.0.0.0/8 is RFC 1700 and 224.0.0.0/4 (NOT /3) is RFC 3171. There are others that should be blocked as well to be complete (e.g. RFC 5735, RFC 2544, etc.)
@P
You are right sir. I should have named them “block” and then just commented what they are.