Filtering Out the Noise on the Edge
There’s a lot of noise on the Internet. I’m not talking about certain news sites, either; I’m talking about stuff like port scans or attempts on weak services from all sorts of bad people on the Internet. A large chunk of that noise can be filtered by the edge routers, taking some of the load off of the network and firewalls.
Here are a few things that we filter inbound on our Internet links. Your mileage will vary.
- Packets from RFC 1918 space — You should never see a packet from 10/8, 172.16/12, or 192.168/16.
- Packets from your IP space — Why would you receive packets from yourself from the Internet?
- SSH, telnet, cmd, rlogin, RDP, etc. — You should be doing all your admin stuff from the internal network or from a VPN, right?
- Windows ports — For God’s sake, drop these at the edge.
- Packets to your network services subnets — If you use public addresses for things like your FWSM or CSM sync networks, no one should ever talk to those subnets.
- SNMP, SNMPTrap — No monitoring from the Internet!
- SMTP to non-MX hosts — If you have a lot of hosts, you probably have email run amongst them. Only the MX hosts should accept connections from the Internet.
- TCP/UDP small services — whois, finger, chargen, etc., are just waiting to be used for something bad.
- DNS, RNDC — You may have some name caching servers or hidden masters somewhere that shouldn’t be reachable from the Desolate Plains of the Internet™.
- Syslog — No logging from the Internet. Use a VPN tunnel or something if you really need it.
- NTP — You’re not a time service, are you?
That should cut out a significant amont of noise for you. Remember to allow stuff, too. You may want to end your ACLs with an old-fashioned permit ip any any log to see what else is coming through and maybe block some of that noise, too.
- Netbox Upgrade Play-by-play - April 25, 2023
- Sending Slack Messages with Python - March 15, 2023
- Using Python Logging to Figure Out What You Did Wrong - February 26, 2023
If you end your ACL with “deny ip any any log” you get rid of all the noise, all the signal too. I suspect you meant “permit ip any any log”.
Darn me and my obvious mistakes! Thanks for the comment, Dave. Fixed.
[…] Filtering Out the Noise on the Edge – Knocking down network noise on your edge routers […]
Additionally to RFC1918, there are some more Networks worth filtering: 127.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 18.104.22.168/3.
These are the networks I filter in addition to RFC1918. They are defined in RFC3330.