It is a well-known fact that network denial-of-service attacks have one characteristic in common: spoofed addresses. Therefore, it is good security practice to implement some ingress filtering in your border router to defeat denial-of-service attacks which employ IP source address spoofing (RFC2827 – Network Ingress Filtering). The border router is the router that connects you to the Internet or another network outside your control.
As mentioned in Jesper and Steve’s book Protect Your Windows Network, five filtering rules in your border router will block almost all denial-of-service attacks. The first two help prevent spoofing; the remaining three block other kinds of bad traffic from entering your network although I personally would not implement the fifth rule. By offloading this work from your firewall, it’s got less traffic to process and more CPU time to better analyze application-layer attacks. Here are the five filtering rules you should implement:
1. Block all inbound traffic where the source address is in your network.
Why should there be traffic trying to enter your network that is coming from your network? This rule prevents someone from spoofing you.
2. Block all outbound traffic where the source address isn’t in your network.
Why should there be traffic trying to leave your network that is coming from some place else? This rule prevents someone from using you to spoof someone else.
3. Block all inbound and outbound traffic where the source or destination address is in these ranges:
• 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16: this are globally non-routed as defined in RFC1918 – Address Allocation for Private Internets.
• 169.254.0.0/16: this is the “link local” block as defined in RFC3330 – Special-Use IPv4 Addresses and used by Windows for Automatic Private IP Addressing (APIPA).
4. Block all source-routed traffic.
The Internet’s infrastructure is so good that it always routes around outages; source-routed traffic these days is crafted traffic intended to accomplish some attack.
5. Block all fragments.
Attackers still use tools to create packet fragments to circumvent certain access control mechanisms. Note, though, that IPSec-based VPNs that use IKE for key negotiation won’t work now because IKE packets are very long (it’s the key lengths) and will always get fragmented. So if you’re allowing IPsec between the Internet and something behind your border router, you’ll need to skip this final rule.
HTH,
Stefaan