Filtering Out the Noise on the Edge

There’s a lot of noise on the Internet.  I’m not talking about certain news sites, either; I’m talking about stuff like port scans or attempts on weak services from all sorts of bad people on the Internet.  A large chunk of that noise can be filtered by the edge routers, taking some of the load off of the network and firewalls.

Here are a few things that we filter inbound on our Internet links.  Your mileage will vary.

  • Packets from RFC 1918 space — You should never see a packet from 10/8, 172.16/12, or 192.168/16.
  • Packets from your IP space — Why would you receive packets from yourself from the Internet?
  • SSH, telnet, cmd, rlogin, RDP, etc. —  You should be doing all your admin stuff from the internal network or from a VPN, right?
  • Windows ports — For God’s sake, drop these at the edge.
  • Packets to your network services subnets — If you use public addresses for things like your FWSM or CSM sync networks, no one should ever talk to those subnets.
  • SNMP, SNMPTrap — No monitoring from the Internet!
  • SMTP to non-MX hosts — If you have a lot of hosts, you probably have email run amongst them.  Only the MX hosts should accept connections from the Internet.
  • TCP/UDP small services — whois, finger, chargen, etc., are just waiting to be used for something bad.
  • DNS, RNDC — You may have some name caching servers or hidden masters somewhere that shouldn’t be reachable from the Desolate Plains of the Internet™.
  • Syslog — No logging from the Internet.  Use a VPN tunnel or something if you really need it.
  • NTP — You’re not a time service, are you?

That should cut out a significant amont of noise for you.  Remember to allow stuff, too.  You may want to end your ACLs with an old-fashioned permit ip any any log to see what else is coming through and maybe block some of that noise, too.

Aaron Conaway

I shake my head around sometimes and see what falls out. That's what lands on these pages. If you have any questions, the best way to contact me is through Twitter at @aconaway.

More Posts

Follow Me:
Twitter

4 comments for “Filtering Out the Noise on the Edge

  1. Dave
    January 21, 2009 at 2:28 pm

    If you end your ACL with “deny ip any any log” you get rid of all the noise, all the signal too. I suspect you meant “permit ip any any log”.

  2. January 21, 2009 at 3:57 pm

    Darn me and my obvious mistakes! Thanks for the comment, Dave. Fixed.

  3. December 31, 2009 at 7:55 am

    Additionally to RFC1918, there are some more Networks worth filtering: 127.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 224.0.0.0/3.
    These are the networks I filter in addition to RFC1918. They are defined in RFC3330.

Leave a Reply

Your email address will not be published. Required fields are marked *