Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1453
Views
15
Helpful
6
Replies

Wierd ACL Statement -- Explain?

Go to solution
lamav
Level 8
Level 8

‎09-20-2008 09:30 AM - edited ‎03-06-2019 01:29 AM

Can someone explain this ACL?

Once you think you know ACLs inside and out, and that they are so basic, you get something like this thrown at ya. lol

ip access-list extended Virus_LAN

<b>deny 53 any any

deny 55 any any

deny 77 any any </b>

deny pim any any

deny tcp any any eq 4444

deny tcp any any eq 5554

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Yeates
Level 7
Level 7

‎09-20-2008 09:44 AM

Victor,

If I remember correctly this was a recommended step for a vulnerability a few years ago. This ACL is denying protocol types.

Cisco IOS is vulnerable to a flaw that can allow a remote attacker to cause a denial of service condition. The vulnerability is due to how malformed IPv4 packets are processed. Packets with a protocol type of 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) can incorrectly cause the interface input queue to be flagged as full. An attacker can send a series of packets that will cause the interface to stop processing further network traffic.

HTH,

Mark

View solution in original post

6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎09-20-2008 09:37 AM

Victor

These are IP protocol numbers, ie. they live at the same level as ICMP, GRE, EIGRP etc..

See attached link for full list of them -

http://www.iana.org/assignments/protocol-numbers/

Jon

Go to solution
Mark Yeates
Level 7
Level 7

‎09-20-2008 09:44 AM

Victor,

If I remember correctly this was a recommended step for a vulnerability a few years ago. This ACL is denying protocol types.

Cisco IOS is vulnerable to a flaw that can allow a remote attacker to cause a denial of service condition. The vulnerability is due to how malformed IPv4 packets are processed. Packets with a protocol type of 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) can incorrectly cause the interface input queue to be flagged as full. An attacker can send a series of packets that will cause the interface to stop processing further network traffic.

HTH,

Mark

Go to solution
lamav
Level 8
Level 8
In response to Mark Yeates

‎09-20-2008 09:56 AM

Alright!

Thanks guys.

I got confused because I couldnt understand what the 53, 55 and 77 stood for. Were they TCP/UDP port numbrs? IP port numbers? etc etc etc....

Cisco's website didnt offer any information either....at least I couldnt find any.

Thanks, gents.

Victor

0 Helpful

Go to solution
glen.grant
VIP Alumni
VIP Alumni

‎09-20-2008 04:06 PM

Hopefully that is not the whole acl ,if it is it is not doing anything except blocking all traffic because there is no permit statement.

0 Helpful

Go to solution
lamav
Level 8
Level 8
In response to glen.grant

‎09-21-2008 05:34 PM

Glen:

There was indeed a 'permit ip any any' at the end. I just didnt show it because it wasnt the focus of my question.

Victor

0 Helpful

Go to solution
andrew.burns
Level 7
Level 7
In response to lamav

‎09-25-2008 04:54 AM

Hi,

One other point not mentioned is that the last two statements can sometimes be a bad idea:

deny tcp any any eq 4444

deny tcp any any eq 5554

Depending on feature set (i.e. anything non-firewall) you can block legitimate traffic that just happens to be using these source ports. (Without FW feature set the router doesn't know the difference between an incoming packet with that destination port or a returning packet with that source port)

HTH

Andrew.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card