RE: Packet blocking

Mon, 25 Mar 2002 13:21:00 -0800

If you implemented this as an outbound ACL (On the external interface), then you are going to block connections from these source ports, not the destination port as intended. In addition you are probably experinecing NAT Table exhaustion. This is common with SYN flood attacks and Code Red compromises. Check this article.
http://www.cisco.com/warp/public/707/21.html (General Purpose Router security)
HTH
Ken Claussen MCSE CCNA CCA
"In Theory it should work as you describe, but the difference between theory and reality is the truth! For this we all strive"
-----Original Message-----
From: Matthew Carpenter [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 25, 2002 4:10 PM
To: '[EMAIL PROTECTED]'
Cc: '[EMAIL PROTECTED]'
Subject: Packet blocking

I have an ACL on my router to block outgoing packets destined to other machines' port 22. Yes, I did mean outgoing. We have a hacked machine we are trying to recover who is doing random port scans. The problem is that the denials on the router are causing our firewall (Netmax) to overflow its buffers and shut down. I am assuming that it is sending ICMP packs back (NDRs) and that is why it is falling all over itself. Can I get the router (2524) to simply drop the packets, without notifying the firewall that anything is not getting through??

 

Here is the exact ACL I implemented on the outbound port

 

access-list 165 deny tcp any eq 22 any log

access-list 165 deny tcp any eq 513 any log

access-list 165 deny tcp any eq 514 any log

access-list 165 deny tcp any eq 2002 any log

access-list 165 deny tcp any eq 3035 any log

access-list 165 deny tcp any any eq 22 log

access-list 165 deny tcp any any eq 513 log

access-list 165 deny tcp any any eq 514 log

access-list 165 permit tcp any any

 

Matthew Carpenter, MCP, CNA, A+
Network Engineer and Exchange Administrator
SARMA
1801 Broadway
San Antonio, TX 78215

 

Reply via email to