09-20-2008 09:30 AM - edited 03-06-2019 01:29 AM
Can someone explain this ACL?
Once you think you know ACLs inside and out, and that they are so basic, you get something like this thrown at ya. lol
ip access-list extended Virus_LAN
<b>deny 53 any any
deny 55 any any
deny 77 any any </b>
deny pim any any
deny tcp any any eq 4444
deny tcp any any eq 5554
Solved! Go to Solution.
09-20-2008 09:44 AM
Victor,
If I remember correctly this was a recommended step for a vulnerability a few years ago. This ACL is denying protocol types.
Cisco IOS is vulnerable to a flaw that can allow a remote attacker to cause a denial of service condition. The vulnerability is due to how malformed IPv4 packets are processed. Packets with a protocol type of 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) can incorrectly cause the interface input queue to be flagged as full. An attacker can send a series of packets that will cause the interface to stop processing further network traffic.
HTH,
Mark
09-20-2008 09:37 AM
Victor
These are IP protocol numbers, ie. they live at the same level as ICMP, GRE, EIGRP etc..
See attached link for full list of them -
http://www.iana.org/assignments/protocol-numbers/
Jon
09-20-2008 09:44 AM
Victor,
If I remember correctly this was a recommended step for a vulnerability a few years ago. This ACL is denying protocol types.
Cisco IOS is vulnerable to a flaw that can allow a remote attacker to cause a denial of service condition. The vulnerability is due to how malformed IPv4 packets are processed. Packets with a protocol type of 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) can incorrectly cause the interface input queue to be flagged as full. An attacker can send a series of packets that will cause the interface to stop processing further network traffic.
HTH,
Mark
09-20-2008 09:56 AM
Alright!
Thanks guys.
I got confused because I couldnt understand what the 53, 55 and 77 stood for. Were they TCP/UDP port numbrs? IP port numbers? etc etc etc....
Cisco's website didnt offer any information either....at least I couldnt find any.
Thanks, gents.
Victor
09-20-2008 04:06 PM
Hopefully that is not the whole acl ,if it is it is not doing anything except blocking all traffic because there is no permit statement.
09-21-2008 05:34 PM
Glen:
There was indeed a 'permit ip any any' at the end. I just didnt show it because it wasnt the focus of my question.
Victor
09-25-2008 04:54 AM
Hi,
One other point not mentioned is that the last two statements can sometimes be a bad idea:
deny tcp any any eq 4444
deny tcp any any eq 5554
Depending on feature set (i.e. anything non-firewall) you can block legitimate traffic that just happens to be using these source ports. (Without FW feature set the router doesn't know the difference between an incoming packet with that destination port or a returning packet with that source port)
HTH
Andrew.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: