Re: icmp port 2048 scan???

skiv · ‎08-22-2003

Hello Colleagues!

Any ideas how to block this scan attmepts:

input ifIndex: 10

source IP address: 217.23.129.225

source port: 0

source AS: <unknown>(0)

output ifIndex: 0

dest IP address: 192.169.204.232

dest port: 2048

dest AS: <unknown>(0)

nexthop: 0.0.0.0

bytes in flow: 92

packets in flow: 1

This icmp ehco request to 2048 port.

How to write acl to block this activity?

access-list 100 deny icmp ......... ?

Thank you for advance.

milan.kulik · ‎08-22-2003

Hi,

it depends on what activities are you detecting and what do you want to protect.

The easiest way would be to deny all icmp packets from the suspicious source:

access-list 101 deny icmp host 217.23.129.225 any

If you want to protect the destination host from any ICMP attack, use:

access-list 101 deny icmp any host 192.169.204.232

If you want to protect just one host from one attacker, do

access-list 101 deny icmp host 217.23.129.225 host 192.169.204.232

Or you can configure anything less or more specific using

access-list 101 deny icmp source_network source_wild_card destination_network destination_wildcard [ICMP message type]

Regards,

Milan

skiv · ‎08-22-2003

I already wrote what I want to block.

I want to block only icmp echo request which have been sent to 2048 dest port.

I do not want to block all icmp echo request traffic. And of course I know how to write acl,

and I already wrote acl like your examples, but this is not I want. By this acl I'm also blocking good icmp packets.

hbaerten · ‎08-22-2003

Why do you say it's ICMP?

This is the first time I would see ICMP using port numbers (but then again, one is never too old to learn, right).

Perhaps you are confusing the scanning TCP or UDP packets with the ICMP unreachable packets that the scanned host returns to the sender?

To block TCP and UDP packets to port 2048 use

access-list 100 deny tcp any host x.x.x.x eq 2048

access-list 100 deny udp any host x.x.x.x eq 2048

hth

Herbert

skiv · ‎08-22-2003

Hmm, It's looks like Netflow write icmp flow

with dest port 2048.

All icmp echo request have dest port 2048.

It has confused me. Interesting feature.

So, It's like icmp echo request flood.

Does anybody know about any virus that make this activity?

milan.kulik · ‎08-22-2003

I was confused, too.

I thought (based on your reply to my first advice) you were looking for an ACL which would deny ICMP echo request with UDP/TCP port 2048 in the data part of the packet (this is possible according to RFC792). But it's impossible to configure such an ACL, I'm afraid.

I've noticed a thread on http://www.securityfocus.com/archive/75 describing ICMP 2048 activity (whatever it means).

Have you captured the suspicious packet by any protocol analyzer to see how it looks like exactly?

Regards,

Milan

milan.kulik · ‎08-28-2003

Hi,

possible virus: Nachi (Welchia)

See the description on the main Cisco TAC page.

(ICMP packet length 92 byte, dest port 0800 - hex = 2048)

Regards,

Milan

ahojmark · ‎08-22-2003

I don't know what you're using to display the above output (NetFlow, maybe?), but it's wrong.

ICMP doesn't use port numbers. Check out RFC792.

Since ICMP doesn't use port numbers, there's no way you can filter ICMP port numbers with router ACLs. What you can filter is specific message types (0-255).

-A