Source Filtering for Internet Traffic

When examining inbound traffic at your Internet edge, there are quite a few source networks that should be automatically discarded. RFC 3330 (Special-Use IPv4 Addresses) specifies many of these.

Local Networks

In most sane networks, you should never see inbound traffic from your own address space. Thus, if you have 12.3.45.0/24 as your public address space, your inbound ACL should block traffic appearing to be sourced from this network.

RFC 1918

10.0.0.0 /8

172.16.0.0 /12

192.168.0.0 /16

An easy way to remember the CIDR value for these (found on GroupStudy): each is 4 greater than the last.

Local-only Networks

0.0.0.0 /8

127.0.0.0 /8 - note: not just 127.0.0.1!

169.254.0.0 /16

These are (respectively) the “this network” range, the localhost address space, and the Microsoft AutoNet network (also called APIPA, for Automated Private IP Addressing).

Reserved Networks

192.0.2.0 /24 - TEST-NET, e.g. example.com

198.18.0.0 /15 - Benchmark networks

240.0.0.0 /4 - Class E

Multicast

224.0.0.0 /4

The multicast address space will never appear as a source address in legitimate traffic. A multicast IP is always a destination.

Unassigned Address Space

Many experts recommend filtering all unallocated address space (networks that have not been assigned to users or ISPs by the various numbering authorities, such as ARIN or APNIC). This requires diligence on the part of network administrators to track new address allocations and keep ACLs up-to-date, to avoid blackholing legitimate traffic from newly-assigned networks. For more information, see the Bogon Reference at Cymru.