The hack does not require the usage of all 4 protocols. Using any one of them will allow disable the router interface.
Using hping to test is the best way to see what I mean. John On Wed, 2003-07-23 at 14:16, DOUGLAS GULLETT wrote: > I don't think you have to put all the access-list in. I believe that > the hack requires a certain combination of packets to the four ports, > so leaving one or two of them open should still prevent the hack. That > might be a good question for Cisco TAC...they should be willing to help > even if you "misplaced" your SmartNet contract information. ;-) > > Doug > > > > ----- Original Message ----- > From: Alvaro Gordon-Escobar <[EMAIL PROTECTED]> > Date: Wednesday, July 23, 2003 10:15 am > Subject: Cisco Workaround > > > will this access list modification prevent my internal DNS server > > from updates to it self from my telco's DNS server? > > > > access-list 101 deny 53 any any > > access-list 101 deny 55 any any > > access-list 101 deny 77 any any > > access-list 101 deny 103 any any > > !--- insert any other previously applied ACL entries here > > !--- you must permit other protocols through to allow normal > > !--- traffic -- previously defined permit lists will work > > !--- or you may use the permit ip any any shown here > > access-list 101 permit ip any any > > > > Thanks in advance > > > > ~alvaro Escobar > > > > ------------------------------------------------------------------- > > -------- > > ------------------------------------------------------------------- > > --------- > > > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
