Deny bogons and public multicast IPs with FortiDDoS ACLs

This recipe shows you how to deny bogons and public multicast IPs with FortiDDoS ACLs

Deny Bogons and public Multicast IPs with Global ACLs – Overview

Bogon source IPs should never be seen from the Internet and very few applications participate in public multicast networks. While most DDoS attacks now randomize Source IPs from almost the entire IPv4 address space (2^32 addresses), some attacks persist in spoofing bogons and public multicast IPs. Both bogon and public multicast IP subnets can be ACLed to keep that traffic from your network.

FortiDDoS’ unique architecture allows very large ACLs in hardware. All mitigation, including ACLs, is done via the FortiDDoS TP2 processors which are custom-created, massively-parallel transaction processors for DDoS Mitigation and ACLsThe ACLs are coded directly into the TP2, changing the structure of the processor. This allows very large ACLs with zero performance penalty.   These Bogon/Multicast ACLs will not affect the performance of the system. You can use FortiDDoS to offload other network elements from dealing with these ACLs.

The scripts linked below can be used to deny bogons and public multicast IPs.
These ACLs can be added before or after adding other Global ACLs. 

1. Accessing FortiDDoS using SSH (or use GUI Console window)

Rather than use the GUI to add numerous bogon subnets, open a PuTTY SSH window (prefered) or GUI Console window and log-in to the system. Ensure you see the
command prompt #.

SSH Login - Use FortiDDoS ACLs to deny bogons and public multicast IPs.
SSH Login

2. Accessing script text files

Scripts are located:

  • here for full Bogons (including private IPs) and Multicast:
  • and here for Bogons only (including Private IPs but excluding Multicast):

The links will open in a new browser tab.

Bogon text script - Use FortiDDoS ACLs to deny bogons and public multicast IPs.
Egnyte screenshot of Bogon script

3. Coping/Pasting the script to the SSH window

 

Copy the entire text script from the browser tab and paste it into a PuTTY window at the command prompt.

When complete, exit the SSH session.

PuTTY screenshot of inserted text - Use FortiDDoS ACLs to deny bogons and public multicast IPs.
Bogon script in PuTTY

4. Checking that ACLs have been applied:

Login to the FortiDDoS GUI and go to:

Global Settings > Address Config

  • You should see 2 pages of subnets
    • 10 on Page 1
    • 3 on Page 2
FortiDDoS GUI of Global Address Config - Use FortiDDoS ACLs to deny bogons and public multicast IPs.
FortiDDoS GUI of Global Address Config

Global Settings > Access Control List > Access Control List

  • You should see 2 pages of policies
    • 10 on Page 1
    • 3 on Page 2
FortiDDoS Access Control List Config - Use FortiDDoS ACLs to deny bogons and public multicast IPs.
FortiDDoS Access Control List Config

Remember: Global ACLs will only be enforced in SPPs that are in Prevention Mode. If the SPP is in Detection Mode, Global ACL drops will be displayed but the packets will be allowed to pass.

Note 1: FortiDDoS does not display the Source or Destination IP of any ACLed IP or subnet. It will always display the protected IP that was the Inbound Destination or Outbound Source of the ACLed packets.

Note 2: As IPv4 exhaustion continues, non-Private IP Bogons are no longer completely static. A good resource to check current bogons and public multicast info is here: http://www.team-cymru.com/bogon-reference-http.html.  Use the Bit Notation Aggregated list.

More info on bogons and public multicast IPs can be found here: http://www.team-cymru.com/bogon-reference.html.

For further reading on FortiDDoS ACLs, check out:

FortiDDoS Global Address ACLs
FortiDDoS Global Access Control Lists
FortiDDoS SPP Address ACLs
FortiDDoS SPP Service ACLs
FortiDDoS SPP Access Control Lists

\r\nNOTE TEXT GOES HERE\r\n
Unlike competitors, FortiDDoS does not use x86 processing for any traffic monitoring or mitigation. The Transaction Processors inspect 100% of all passing traffic packets.