Cisco ACL question
Greetings All, Sorry for the slightly off-topic question, but I suspect that this is an issue that others have faced or may soon face as ISP continue to push out more PPP-oriented networks. One of our customer's ISP is converting from static IP assignments to PPP IP assignments for all customers' Internet facing routers. This is creating a security problem that I do not know how to fix and for which the ISP is no help. Problem: how to ACL on a dynamic IP? Assume that we have the following (partial) configuration on a Cisco 2801 and are assigned the static netblock 1.2.3.0/29. This was what worked before the ISP made the change. ! Old config example interface serial0/2/0 ip address 1.2.3.1 255.255.255.248 ip nat outside ip access-group 110 in ... interface fastethernet0/0 ip address 172.17.100.254 255.255.255.0 ip nat inside ... ip nat pool localstatic 1.2.3.2 1.2.3.2 prefix 29 ip nat inside source list 1 pool localstatic overload ip nat inside source static tcp 172.17.100.22 22 1.2.3.5 12322 ip nat inside source static ... access-list 1 permit 172.17.100.0 0.0.0.255 access-list 1 deny any log access-list 110 permit tcp any 1.2.3.0 0.0.0.7 established access-list 110 permit tcp host a.b.c.d host 1.2.3.5 eq 12322 access-list 110 deny tcp any any log access-list 110 permit udp host d.n.s.1 eq 53 host 1.2.3.2 access-list 110 permit udp host d.n.s.1 host 1.2.3.2 eq 53 access-list 110 permit udp host n.t.p.1 eq 123 1.2.3.2 access-list 110 deny udp any any log access-list 110 permit icmp any host 1.2.3.2 echo-reply access-list 110 permit icmp any host 1.2.3.2 unreachable access-list 110 permit icmp any host 1.2.3.2 time-exceeded access-list 110 deny icmp any any log access-list 110 deny ip any any log In the new configuration, the serial0/2/0 interface now has a dynamic IP. How can I put ACLs on that IP that will permit NTP, DNS, and ICMP originating from within the router to work? Everything behind the router works, but anything generated by the router itself breaks (because the external IP is not permitted in an ACL). In the new configuration, this is the only change I made (other than PPP stuff): ! New config example interface serial0/2/0 ip address negotiated ip nat outside ip access-group 110 in ... Everything from behind the router continues to work fine. However, the router is unable to do NS lookups, set time, etc. Basically, all traffic to the dynamic IP is blocked. Is there a SIMPLE way to fix this problem AND keep the router secured? I have searched the Cisco site, and Google, and cannot seem to find an answer that I can fully comprehend. I thought that maybe 'ip nat outside' was my fix, but I could not get it to do what I expected. Thanks in advance for your help! Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Drone Armies C&C Report - 31 May 2006
This is a periodic public report from the ISOTF's affiliated group 'DA' (Drone Armies (botnets) research and mitigation mailing list / TISF DA) with the ISOTF affiliated ASreport project (TISF / RatOut). For this report it should be noted that we base our analysis on the data we have accumulated from various sources, which may be incomplete. Any responsible party that wishes to receive reports of botnet command and control servers on their network(s) regularly and directly, feel free to contact us. For purposes of this report we use the following terms openthe host completed the TCP handshake closed No activity detected reset issued a RST This month's survey is of 3151 unique, domains (or IPs) with port suspect C&Cs. This list is extracted from the BBL which has a historical base of 10115 reported C&Cs. Of the suspect C&Cs surveyed, 649 reported as Open, 935 reported as closed, and 569 issued resets to the survey instrument. Of the C&Cs listed by domain name in the our C&C database, 4666 are mitigated. Top 20 ASNes by Total suspect domains mapping to a host in the ASN. These numbers are determined by counting the number of domains which resolve to a host in the ASN. We do not remove duplicates and some of the ASNs reported have many domains mapping to a single IP. Note the Percent_resolved figure is calculated using only the Total and Open counts and does not represent a mitigation effectiveness metric. Percent_ ASN Responsible Party Total OpenResolved 13301 UNITEDCOLO-AS Autonomous System of 54 27 50 19318 AIC-81 Albany International Corp. 49 14 71 4134 CHINANET-BACKBONE 37 16 57 23522 CIT-FOONET 35 20 43 8972 INTERGENIA-ASN intergenia autonomou35 17 51 4766 KIXS-AS-KR 32 7 78 4314 IIS-64 I-55 INTERNET SERVICES 28 1 96 4837 CHINA169-Backbone 27 8 70 30315 Everyones Internet 25 11 56 33597 InfoRelay Online Systems, Inc. 24 0100 7132 SBC Internet Services 24 5 79 9318 HANARO-AS 24 8 67 3561 Savvis 23 3 87 8560 SCHLUND-AS 22 5 77 13749 EVRY Everyones Internet22 2 91 13213 UK2NET-AS UK-2 Ltd Autonomous Syste20 0100 29073 COLINKS-AS Colinks web and game hos19 13 32 27595 ATRIV Atrivo 19 3 84 3462 HINET 19 7 63 21840 SAGONE Sago Networks 18 3 83 Top 20 ASNes by number of active suspect C&Cs. These counts are determined by the number of suspect domains or IPs located within the ASN completed a connection request. Percent_ ASN Responsible Party Total OpenResolved 13301 UNITEDCOLO-AS Autonomous System of 54 27 50 23522 CIT-FOONET 35 20 43 8972 INTERGENIA-ASN intergenia autonomou35 17 51 4134 CHINANET-BACKBONE 37 16 57 13237 LAMBDANET-AS 18 14 22 19318 AIC-81 Albany International Corp. 49 14 71 29073 COLINKS-AS Colinks web and game hos19 13 32 30315 Everyones Internet 25 11 56 174 Cogent Communications 16 10 38 9318 HANARO-AS 24 8 67 4837 CHINA169-Backbone 27 8 70 3269 TELECOM ITALIA 12 7 42 3462 HINET 19 7 63 4766 KIXS-AS-KR 32 7 78 19262 Verizon Internet Services 14 7 50 12322 PROXAD AS for Proxad ISP6 6 0 28753 NETDIRECT AS NETDIRECT Frankfurt8 6 25 16265 LEASEWEB AS11 6 45 3786 ERX-DACOMNET9 6 33 9600 SONY CORPORATION7 6 14 Randal Vaughn Gadi Evron Professor ge at linuxbox.org Baylor University Waco, TX (254) 710 4756 randy_vaughn at baylor.edu
Telia network degredation / POC
Does anyone have a contact number/POC of any sort for Telia that's within the United States? Jared's NOC list only contains a contact number in Sweden. It seems their network has been falling apart both within Sweden and the US since the raid on TPB (ThePirateBay.org) earlier today. Sure, it's probably kiddies as usual, but this is pretty major. Can anyone confirm/deny? Host Loss% Snt Rcv Last Avg Best Wrst StDev 1. gige-g6-0-19.gsr12012.fmt. 0.0% 119 1190.3 0.3 0.2 0.6 0.1 2. pos1-0.gsr12416.fmt.he.net 0.0% 119 119 51.5 19.6 0.4 266.9 50.7 3. pos10-0.gsr12416.sjc2.he.n 0.8% 119 1181.1 11.2 0.9 199.1 36.4 4. sjo-bb1-pos5-2-0.telia.net 19.3% 119961.0 5.2 0.9 145.5 18.3 5. las-bb1-pos7-0-0-0.telia.n 36.4% 11975 13.6 17.3 13.5 133.4 16.2 6. dsl-bb1-pos7-0-0.telia.net 56.4% 11851 80.9 51.7 48.1 114.5 12.0 7. nyk-bb2-link.telia.net 82.1% 11821 85.6 85.4 85.2 85.7 0.1 8. kbn-bb2-link.telia.net 53.8% 11854 165.7 166.1 165.6 177.5 1.6 9. s-bb2-link.telia.net 52.1% 11856 177.3 177.8 177.1 196.6 2.7 10. s-b4-pos5-0.telia.net 52.1% 11856 177.3 184.2 177.2 318.2 26.1 11. hy-peer1-pos4-0.se.telia.n 52.1% 11856 177.4 183.5 177.2 318.6 26.7 12. hy-c1-link.se.telia.net52.1% 11856 177.4 184.7 177.3 357.0 31.5 13. oes-b-c1-link.se.telia.net 53.0% 11855 190.4 190.4 190.2 191.0 0.1 14. ll-d6-link.se.telia.net52.1% 11856 195.3 195.3 194.8 203.7 1.2 15. bd-a13-link.se.telia.net 53.0% 11855 195.5 206.1 195.3 408.6 39.6 16. 213.65.248.233 52.1% 11856 193.9 194.1 193.8 196.9 0.4 Thanks. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networkinghttp://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Re: Telia network degredation / POC
On Wed, May 31, 2006 at 06:48:06PM -0700, Jeremy Chadwick wrote: > > Does anyone have a contact number/POC of any sort for Telia that's > within the United States? Jared's NOC list only contains a contact > number in Sweden. > > It seems their network has been falling apart both within Sweden and > the US since the raid on TPB (ThePirateBay.org) earlier today. Sure, > it's probably kiddies as usual, but this is pretty major. Can anyone > confirm/deny? > > Host Loss% Snt Rcv Last Avg Best Wrst > StDev > 1. gige-g6-0-19.gsr12012.fmt. 0.0% 119 1190.3 0.3 0.2 0.6 > 0.1 > 2. pos1-0.gsr12416.fmt.he.net 0.0% 119 119 51.5 19.6 0.4 266.9 > 50.7 > 3. pos10-0.gsr12416.sjc2.he.n 0.8% 119 1181.1 11.2 0.9 199.1 > 36.4 > 4. sjo-bb1-pos5-2-0.telia.net 19.3% 119961.0 5.2 0.9 145.5 > 18.3 Notice how your loss starts at the border between Hurricane Electric and Telia? HE is a customer of Telia. You should be contacting your provider (HE) to resolve the issue, not Telia. -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: BCP for Abuse Desk
On 31 May 2006, at 00:02, Dave Rand wrote: I know that there was a Abuse Desk BCP working group started a few years ago. Can anyone give me an update on BCP practices that I can refer ISPs to? Not a BCP but we have a section for ISP Abuse Desks at http:// www.spamhaus.org/isp/ with useful info including a FAQ for Abuse Issues and Handling, Feedback Loops, Port 25 blocking, etc., plus an online AUP builder. These are at: ISP Abuse Issues FAQ: http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues ISP Acceptable Use Policy builder: http://www.spamhaus.org/isp/create_aup.lasso Steve Linford The Spamhaus Project http://www.spamhaus.org
