Hi Blaz,
I don't want to appear offensive, but you need to read a bit more about
TCP/IP and how it works before implementing such drastic measures as
dropping all packets with RST bit raised. ;) You've just broken TCP
mechanism for closing down connections, no matter legitimate or not.
On Mon, Aug 06, 2001 at 07:44:55PM +0200, Blaz Zupan wrote:
> Update concerning my problems. The trouble seems to be caused by Code Red.
> Yes, Code Red.
>
> I have applied the following access list on our internet connection:
>
> access-list 170 deny tcp any any rst
> access-list 170 permit ip any any
>
> Looking at the counters, about 20% of our incomming packets are currently TCP
> RST packets. Normally this should be more like 1%. After applying this access
> list, all incoming TCP connections seem to work just fine.
>
> Most of the RST packets are destined for port 80 on unused IP addresses, so I
> guess this is Code Red infected machines scanning our network for possible
> victims. Why this causes hearburn for our Cisco is yet to be determined.
>
> I have reported this to psirt@cisco.com.
>
> Blaz Zupan, Medinet d.o.o, Trzaska 85, SI-2000 Maribor, Slovenia
> E-mail: blaz@amis.net, Tel: +386-2-320-6320, Fax: +386-2-320-6325
>
---end quoted text---
-- CCNP, CCDP (R&S) Dmitri E. Kalintsev CDPlayer@irc Network Architect @ connect.com.au dek @ connect.com.au phone: +61 3 9674 3913 fax: 9251 3666 http://-UNAVAIL- UIN:7150410 cell: +61 414 821 382
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:48 EDT