You can do this a few ways. I have a networking background so rather than using IPtables I prefer to ban at the kernel directly (by using blackhole below the kernel makes NO effort to reply or process packets from these addresses which is ideal for attacks causing load).

This is a list of Bogons (check it pretty regularly): http://www.team-cymru.org/Services/Bogons/bogon-bn.html

Create a start-up file, to come on boot. On Debian/Ubuntu for example a not-very-graceful-way would be to make a file executable with chmod +x in /etc/init.d/ like ban_bogons. Then from inside that directory do update-rc.d ban_bogons defaults and it'll load at boot time.

Fill and save that file with references from the URL above along the lines of:



ip route add blackhole 0.0.0.0/8

ip route add blackhole 10.0.0.0/8

ip route add blackhole 127.0.0.0/8

ip route add blackhole 169.254.0.0/16

ip route add blackhole 172.16.0.0/12

ip route add blackhole 192.0.0.0/24

ip route add blackhole 192.0.2.0/24

ip route add blackhole 192.168.0.0/16

ip route add blackhole 198.18.0.0/15

ip route add blackhole 198.51.100.0/24

ip route add blackhole 203.0.113.0/24

ip route add blackhole 224.0.0.0/3

User "s" said:

"route reject" or "route blackhole" stops you from *sending* to those hosts, not from receiving.



As a matter of interest is there a ip route command that also blocks incoming traffic too ? I know iptables would work but can ip route do it too ?

As best practice any good ISP should have an updated bogon (including rfc1918) filter applied at the border router , this will also include filtering packets with their own source ranges.

This isn't something an end user of a webserver should have to concern themselves with ,I'd ask your ISP

"route reject" or "route blackhole" stops you from *sending* to those hosts, not from receiving.

rp_filter filters incoming packets. If rp_filter is "1" and an incoming packet is coming with a source address of "X" on interface ethy and the route to address X is not via interface ethy but via interface ethx (or via a blackhole route), then that packet will be discarded. With rp_filter on, then it makes sense to add blackhole or reject routes so Bogofilter's answer still applies. Note however that it may be valid for packets to be coming from a different route from the return one depending on the network topology, so that's to be used with care.

Thanks but I don't understand @s.

How can I drop all traffic from those IP ranges ?

Using something like ip route reject 169.254.0.0/16 instead ?

Adding blackhole routes won't help much here.The incoming packets will be processed (so for instance, that doesn't stop SYN floods or non-TCP based attacks). And if the server is connected to private subnets (it is at least for 127.0/8), those blackhole routes will be preempted (and that's where it's going to be more of an issue)

Using rp_filter looks more like the correct answer to that question:

sysctl -w net.ipv4.conf.all.rp_filter=1

For Linux, see Documentation/networking/ip-sysctl.txt in the linux kernel sources.

Thanks, Bogofilter.

That's exactly what I was after.

100 well-earned points winging their way to you.