tintypeexis.net

• Next message: Martin Roesch: "Re: [snort] Snort 1.7 projected features"
• Previous message: Stephen Zedalis: "Re: [snort] Snort 1.7 projected features"
• In reply to: per.thorsheimno.pwcglobal.com: "[snort] Spoofed IP source detection"
• Next in thread: James McLaughlin: "[snort] DNS lookups too sensitive...or are these attacks??"
• Next in thread: per.thorsheimno.pwcglobal.com: "Re: [snort] Spoofed IP source detection"
• Reply: Stephen Zedalis: "Re: [snort] Spoofed IP source detection"
• Reply: James McLaughlin: "[snort] DNS lookups too sensitive...or are these attacks??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

One has to be very careful about blanket applying these rules without
knowing what will result and exactly "where" to apply these rules.

For instance denying 224.0.0.0/4 (Class D) can affect OSPF routing,
multicast, etc. if applied to router interfaces that are not the actual
ingress/egress point of the local autonomous system.

Some of the addresses in the second list are actually in wide use. For
instance 24.0.0.0/8 is widely used by cable modem providers such as Home,
Wave, Shaw, and Rogers.

The SANS document is excellent advice, but we must be careful about going
above and beyond unless we know the full consequences of those actions.
I wish IANA would be more forthcoming about what certain of these blocks
are "reserved" for so we can make a decision as to whether to exclude or
not. The cryptic "IANA cable block" doesn't indicate the addresses are in
use and if its normal to see them in the wild. I think most blocks should
indicate if they are valid global internet addresses that could be seen.
 
Stephen

On Thu, 30 Mar 2000 per.thorsheimno.pwcglobal.com wrote:

>Hello everybody.
>
>Although most people prefer to do ingress(1) and egress(2) filtering
>on their routers in order to filter incoming and outgoing traffic, i'm
>interested in putting together a complete list of rules for detecting
>private and 'suspicous' source IP addresses.
>
>In the SANS document "Help Defeat Denial of Service Attacks:
>Step-by-Step" (3), they list the following networks:
>
>0.0.0.0/8 - Historical Broadcast
>10.0.0.0/8 - RFC 1918 Private Network
>127.0.0.0/8 - Loopback
>169.254.0.0/16 - Link Local Networks
>172.16.0.0/12 - RFC 1918 Private Network
>192.0.2.0/24 - TEST-NET
>192.168.0.0/16 - RFC 1918 Private Network
>224.0.0.0/4 - Class D Multicast
>240.0.0.0/5 - Class E Reserved
>248.0.0.0/5 - Unallocated
>255.255.255.255/32 - Broadcast
>
>However; the IANA IPv4 address space list (4) lists these
>networks in addition to those above as 'special' IP blocks;
>
>1.0.0.0/8 - IANA reserved
>2.0.0.0/8 - IANA reserved
>5.0.0.0/8 - IANA reserved
>7.0.0.0/8 - IANA reserved
>14.0.0.0/8 - IANA - Public data network (?)
>23.0.0.0/8 - IANA reserved
>24.0.0.0/8 - IANA cable block
>27.0.0.0/8 - IANA reserved
>31.0.0.0/8 - IANA reserved
>37.0.0.0/8 - IANA reserved
>39.0.0.0/8 - IANA reserved
>41.0.0.0/8 - IANA reserved
>42.0.0.0/8 - IANA reserved
>58.0.0.0/8 - IANA reserved
>59.0.0.0/8 - IANA reserved
>60.0.0.0/8 - IANA reserved
>65-95.0.0.0/8 - IANA reserved
>96-126.0.0.0/8 - IANA reserved
>197.0.0.0/8 - IANA reserved
>217.0.0.0/8 - IANA reserved
>218-223.0.0.0/8 - IANA reserved
>240-255.0.0.0/8 - IANA reserved

• Next message: Martin Roesch: "Re: [snort] Snort 1.7 projected features"
• Previous message: Stephen Zedalis: "Re: [snort] Snort 1.7 projected features"
• In reply to: per.thorsheimno.pwcglobal.com: "[snort] Spoofed IP source detection"
• Next in thread: James McLaughlin: "[snort] DNS lookups too sensitive...or are these attacks??"
• Next in thread: per.thorsheimno.pwcglobal.com: "Re: [snort] Spoofed IP source detection"
• Reply: Stephen Zedalis: "Re: [snort] Spoofed IP source detection"
• Reply: James McLaughlin: "[snort] DNS lookups too sensitive...or are these attacks??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]