North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: filtering whitehouse.gov?
On Sat, 21 Jul 2001, Jon O . wrote: > I understand your need to do something like this, but you are > essentially causing the worm to fulfill it's goal and > censoring your customers. I worried that many people would do this. > Why not just use outbound Cisco ACLs on your CPE, Core, and Border > routers to permit and log the traffic to the one IP address being > attacked and them contact the people who have hacked machines? Or, > if you must use the ACLs to deny the packets with the goal of > identifing machines and getting them fixed. Outbound ACL's are an option but then you would have to be sure that they are sending the packets to port 80. > access-list 199 permit tcp any host 22.214.171.124 eq 80 log > access-list 199 permit tcp any host 126.96.36.199 eq 80 log > > You should already be logging packets to a syslog server. We already log every packet coming by on a machine which counts the traffic so any infected box will be identified soon. > To make deny rules just change the permit to deny. However, this is > kind of drastic and almost amounts to censorship. Censorship is a way to see it, I prefer to call it operational prevention of a DoS attack. The risk of "censoring" two IP's over DoS'ing an entire network is one I can explain to angry customers (if there are any). -- /* Sabri Berisha CCNA,BOFH,+iO O.O speaking for just myself * Join HAL!!: www.HAL2001.org ____oOo_U_oOo____ http://www.bit.nl/~sabri * "We deliver quality services, we just can't get it on the internet" * Anonymous sysadmin - on IRC */