Wierd ACL Statement -- Explain?

Answered Question
Sep 20th, 2008

Can someone explain this ACL?


Once you think you know ACLs inside and out, and that they are so basic, you get something like this thrown at ya. lol


ip access-list extended Virus_LAN

<b>deny 53 any any

deny 55 any any

deny 77 any any </b>

deny pim any any

deny tcp any any eq 4444

deny tcp any any eq 5554

Correct Answer by Mark Yeates about 8 years 5 months ago

Victor,


If I remember correctly this was a recommended step for a vulnerability a few years ago. This ACL is denying protocol types.


Cisco IOS is vulnerable to a flaw that can allow a remote attacker to cause a denial of service condition. The vulnerability is due to how malformed IPv4 packets are processed. Packets with a protocol type of 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) can incorrectly cause the interface input queue to be flagged as full. An attacker can send a series of packets that will cause the interface to stop processing further network traffic.



HTH,

Mark

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
Mark Yeates Sat, 09/20/2008 - 09:44

Victor,


If I remember correctly this was a recommended step for a vulnerability a few years ago. This ACL is denying protocol types.


Cisco IOS is vulnerable to a flaw that can allow a remote attacker to cause a denial of service condition. The vulnerability is due to how malformed IPv4 packets are processed. Packets with a protocol type of 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) can incorrectly cause the interface input queue to be flagged as full. An attacker can send a series of packets that will cause the interface to stop processing further network traffic.



HTH,

Mark

lamav Sat, 09/20/2008 - 09:56

Alright!


Thanks guys.


I got confused because I couldnt understand what the 53, 55 and 77 stood for. Were they TCP/UDP port numbrs? IP port numbers? etc etc etc....


Cisco's website didnt offer any information either....at least I couldnt find any.


Thanks, gents.


Victor

glen.grant Sat, 09/20/2008 - 16:06

Hopefully that is not the whole acl ,if it is it is not doing anything except blocking all traffic because there is no permit statement.

lamav Sun, 09/21/2008 - 17:34

Glen:


There was indeed a 'permit ip any any' at the end. I just didnt show it because it wasnt the focus of my question.


Victor

andrew.burns Thu, 09/25/2008 - 04:54

Hi,


One other point not mentioned is that the last two statements can sometimes be a bad idea:


deny tcp any any eq 4444

deny tcp any any eq 5554


Depending on feature set (i.e. anything non-firewall) you can block legitimate traffic that just happens to be using these source ports. (Without FW feature set the router doesn't know the difference between an incoming packet with that destination port or a returning packet with that source port)


HTH

Andrew.


Actions

This Discussion