Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

blocked ports affecting http

At Cisco's recommendation I blocked TCP ports 3127 - 3199 from going out my "inside" interface. Seems these are commonly used ports for mydoom. Now when my user's browsers use those ports as source ports they don't get out until it exceeds that window. Has anyone else seen this issue and how do you work around it?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: blocked ports affecting http

Roland,

A MyDoom attack can be initiated from the outside (inbound to your LAN) or from the inside (outbound to your LAN).

IF YOU WANT TO BLOCK INBOUND ATTACKS OF MYDOOM:

If this traffic is flowing through a firewall, then by default, sessions initiated from the outside are blocked unless explicitely permitted inbound. If you are using a router with ACLs, then you have to configure an ACL in the INBOUND direction and apply it to the OUTSIDE interface as such:

--------------------------

For routers:

access-list 111 deny tcp any any range 3127 3199

interface

ip access-group 111 in

--------------------------

In this case, you will experience the issue you already are because when a web server returns a session packet back to the client (browser), then the destination ports will match the ACL and the router will drop the session. To overcome this, one can apply an IOS firewall to the outside interface of the router. The ACLs to block inbound attacks of MyDoom are not required then as the router will maintain a session's stateful information in its table.

IF YOU WANT TO BLOCK OUTBOUND ATTACKS OF MYDOOM:

Then the ACL has to be applied "in" on the "inside" interface.

--------------------------

For PIX Firewall:

access-list 111 deny tcp any any range 3127 3199

access-list 111 permit ip any any

access-group 111 in interface inside

--------------------------

--------------------------

For Router:

access-list 111 deny tcp any any range 3127 3199

interface

ip access-group 111 in

--------------------------

This should provide you with enough information to work over your issue.

Paras

4 REPLIES
New Member

Re: blocked ports affecting http

I have the same set of ports blocked by an ACL and have not seen this issue. Here is what my ACL statement looks like for one:

access-list ACL-Inside deny tcp any any eq 3127

Here is my assignment statement:

access-group ACL-Inside in interface inside

Don't know if this will help, but thought I'd try.

New Member

Re: blocked ports affecting http

Here is what you can do.

Instead of blocking them outbound on the "inside" interface (i.e. the egress interface), block them inbound on one or more of the "outside" interaces (i.e. the ingress interface(s)).

Blocking those ports going out the inside interface will cause the problem obviously.

-Paras

Cisco Employee

Re: blocked ports affecting http

You probably specified the ports in the source part of the ACL

access-list XX deny tcp any range (ports) any

You should block them using the dst part of the ACL

access-list XX deny tcp/udp any any range (ports)

access-list XX permit ip any any

access-group XX in interface inside

For more information please check

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#wp1067755

Hope it helps

Franco Zamora

New Member

Re: blocked ports affecting http

Roland,

A MyDoom attack can be initiated from the outside (inbound to your LAN) or from the inside (outbound to your LAN).

IF YOU WANT TO BLOCK INBOUND ATTACKS OF MYDOOM:

If this traffic is flowing through a firewall, then by default, sessions initiated from the outside are blocked unless explicitely permitted inbound. If you are using a router with ACLs, then you have to configure an ACL in the INBOUND direction and apply it to the OUTSIDE interface as such:

--------------------------

For routers:

access-list 111 deny tcp any any range 3127 3199

interface

ip access-group 111 in

--------------------------

In this case, you will experience the issue you already are because when a web server returns a session packet back to the client (browser), then the destination ports will match the ACL and the router will drop the session. To overcome this, one can apply an IOS firewall to the outside interface of the router. The ACLs to block inbound attacks of MyDoom are not required then as the router will maintain a session's stateful information in its table.

IF YOU WANT TO BLOCK OUTBOUND ATTACKS OF MYDOOM:

Then the ACL has to be applied "in" on the "inside" interface.

--------------------------

For PIX Firewall:

access-list 111 deny tcp any any range 3127 3199

access-list 111 permit ip any any

access-group 111 in interface inside

--------------------------

--------------------------

For Router:

access-list 111 deny tcp any any range 3127 3199

interface

ip access-group 111 in

--------------------------

This should provide you with enough information to work over your issue.

Paras

108
Views
0
Helpful
4
Replies