Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Blue

Wierd ACL Statement -- Explain?

Can someone explain this ACL?

Once you think you know ACLs inside and out, and that they are so basic, you get something like this thrown at ya. lol

ip access-list extended Virus_LAN

<b>deny 53 any any

deny 55 any any

deny 77 any any </b>

deny pim any any

deny tcp any any eq 4444

deny tcp any any eq 5554

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Wierd ACL Statement -- Explain?

Victor,

If I remember correctly this was a recommended step for a vulnerability a few years ago. This ACL is denying protocol types.

Cisco IOS is vulnerable to a flaw that can allow a remote attacker to cause a denial of service condition. The vulnerability is due to how malformed IPv4 packets are processed. Packets with a protocol type of 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) can incorrectly cause the interface input queue to be flagged as full. An attacker can send a series of packets that will cause the interface to stop processing further network traffic.

HTH,

Mark

6 REPLIES
Hall of Fame Super Blue

Re: Wierd ACL Statement -- Explain?

Victor

These are IP protocol numbers, ie. they live at the same level as ICMP, GRE, EIGRP etc..

See attached link for full list of them -

http://www.iana.org/assignments/protocol-numbers/

Jon

Re: Wierd ACL Statement -- Explain?

Victor,

If I remember correctly this was a recommended step for a vulnerability a few years ago. This ACL is denying protocol types.

Cisco IOS is vulnerable to a flaw that can allow a remote attacker to cause a denial of service condition. The vulnerability is due to how malformed IPv4 packets are processed. Packets with a protocol type of 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) can incorrectly cause the interface input queue to be flagged as full. An attacker can send a series of packets that will cause the interface to stop processing further network traffic.

HTH,

Mark

Blue

Re: Wierd ACL Statement -- Explain?

Alright!

Thanks guys.

I got confused because I couldnt understand what the 53, 55 and 77 stood for. Were they TCP/UDP port numbrs? IP port numbers? etc etc etc....

Cisco's website didnt offer any information either....at least I couldnt find any.

Thanks, gents.

Victor

Purple

Re: Wierd ACL Statement -- Explain?

Hopefully that is not the whole acl ,if it is it is not doing anything except blocking all traffic because there is no permit statement.

Blue

Re: Wierd ACL Statement -- Explain?

Glen:

There was indeed a 'permit ip any any' at the end. I just didnt show it because it wasnt the focus of my question.

Victor

Re: Wierd ACL Statement -- Explain?

Hi,

One other point not mentioned is that the last two statements can sometimes be a bad idea:

deny tcp any any eq 4444

deny tcp any any eq 5554

Depending on feature set (i.e. anything non-firewall) you can block legitimate traffic that just happens to be using these source ports. (Without FW feature set the router doesn't know the difference between an incoming packet with that destination port or a returning packet with that source port)

HTH

Andrew.

150
Views
15
Helpful
6
Replies
CreatePlease to create content