Fight Martians!

We shall fight them on the beaches, we shall fight them on our edge routers… right.

What are Martians? In the networking lingo, Martians are unknown or undesired addresses. We can harden our edge router by blocking incoming traffic from the internet that is sourced by these weird addresses.

Let’s analyse this ACL line by line.

Extended IP access list MARTIANS
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 127.0.0.0 0.255.255.255 any
30 deny ip 169.254.0.0 0.0.255.255 any
40 deny ip 172.16.0.0 0.15.255.255 any
50 deny ip 192.0.2.0 0.0.0.255 any
60 deny ip 192.168.0.0 0.0.255.255 any
70 deny ip 224.0.0.0 31.255.255.255 any
80 deny ip host 46.77.72.69 any
90 permit ip any host 46.77.72.69 (12 matches)
100 permit ip host 46.77.72.70 host 255.255.255.255 log (2 matches)
110 deny ip any any log

Line 10

10 deny ip 10.0.0.0 0.255.255.255 any

subnet 10.0.0.0>10.255.255.255 should never come from the internet because it’s a private subnet. It is highly unlikely that your ISP would route such traffic but hey, better safe than sorry.

Line 20
20 deny ip 127.0.0.0 0.255.255.255 any

Again, loopback addresses should not be on the internet.

Line 30
30 deny ip 169.254.0.0 0.0.255.255 any

autoconfigured addresses either…

Line 40
40 deny ip 172.16.0.0 0.15.255.255 any

Another private range

Line 50
50 deny ip 192.0.2.0 0.0.0.255 any

experimental subnet only

Line 60
60 deny ip 192.168.0.0 0.0.255.255 any

Another private range

Line 70
70 deny ip 224.0.0.0 31.255.255.255 any

Traffic should not be sourced by multicast addresses.

Line 80
80 deny ip host 46.77.72.69 any

This is my public IP so if anybody should steal/spoof it, I will block the traffic.

Line 90
90 permit ip any host 46.77.72.69 log (12 matches)

This is valid traffic, so I permit it. I log it to see who might be a-knockin’ on my door 🙂 It’s actually quite scary how many packets are there after a while…

Line 100

This is dhcp traffic from my ISP that gives my an IP address. I forgot about this bit until I didn’t get an IP address, hence the ”log” bit in line 110, which made me realize what traffic I forgot.
100 permit ip host 46.77.72.70 host 255.255.255.255 log (2 matches)

Line 110

I’m denying all other traffic,
110 deny ip any any log

Don’t forget to apply the ACL with:

int gi0

ip access-group MARTIANS in

do wr

 

Skomentuj

Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Wyloguj /  Zmień )

Zdjęcie na Google

Komentujesz korzystając z konta Google. Wyloguj /  Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Wyloguj /  Zmień )

Zdjęcie na Facebooku

Komentujesz korzystając z konta Facebook. Wyloguj /  Zmień )

Połączenie z %s