North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: filtering

  • From: Sabri Berisha
  • Date: Sun Jul 22 05:55:07 2001

On Sat, 21 Jul 2001, Jon O . wrote:

> I understand your need to do something like this, but you are
> essentially causing the worm to fulfill it's goal and
> censoring your customers. I worried that many people would do this.

> Why not just use outbound Cisco ACLs on your CPE, Core, and Border
> routers to permit and log the traffic to the one IP address being
> attacked and them contact the people who have hacked machines? Or,
> if you must use the ACLs to deny the packets with the goal of
> identifing machines and getting them fixed.

Outbound ACL's are an option but then you would have to be sure that they
are sending the packets to port 80.

> access-list 199 permit tcp any host eq 80 log
> access-list 199 permit tcp any host eq 80 log
> You should already be logging packets to a syslog server.

We already log every packet coming by on a machine which counts the
traffic so any infected box will be identified soon.

> To make deny rules just change the permit to deny. However, this is
> kind of drastic and almost amounts to censorship.

Censorship is a way to see it, I prefer to call it operational prevention
of a DoS attack. The risk of "censoring" two IP's over DoS'ing an entire
network is one I can explain to angry customers (if there are any).

/* Sabri Berisha CCNA,BOFH,+iO        O.O        speaking for just myself
 * Join HAL!!: ____oOo_U_oOo____
 *  "We deliver quality services, we just can't get it on the internet"
 *   Anonymous sysadmin - on IRC                                       */