Re: [nsp] some filter questions

From: Danny McPherson (danny@genuity.net)
Date: Mon Feb 16 1998 - 00:45:00 EST


To defend against land.c on LAN segments, assuming all the hosts on the
"target" LAN segment are trusted, all you need to do is deny packets from the
"outside" access to the segment .. if they're source address is part of that
which belongs to the segment. For example:

 210.1.1.0/24
    |
    |e0
  router
    |e1
    |
 210.1.2.0/24
 
On the router, do something like:

interface e1
ip access-group 101 out
!
access-list 101 deny ip 210.1.2.0 0.0.0.255 any
access-list 101 permit ip any any

This will deny packets access onto the e1 segment if they're sourced from a
210.1.2.0/24 address. This shouldn't break any legitimate traffic between the
segments.

To answer your other question, you can only apply one ACL in each direction on
an interface.

Have a look at:

http://www.cisco.com/warp/public/770/land-pub.shtml

it should answer most of your questions w/regards to Cisco IOS and land.c DoS
attacks. Of course, if you're concerned with host vulnerability, normally the
best solution is to install patches or upgrade OS w/fixes incorporated..

Hope this helps...

-danny

> e1: 210.1.1.1 255.255.255.0 with my machine 210.1.1.2
> e2: 210.1.2.1 255.255.255.0 with target machine 210.1.2.2
>
> needless say, there are two LANs and I want prevent a
> "land" attack to the machine lies in 210.1.2.1/26 segument.
>
> currently when I lanched a land packet from my machine to the machine, it
> will kill it.
>
> you are telling me I had to use access-list "out."
>
> Here are dumb questions since I am new in cisco.
>
> 1. I understand order of which filter comes, behave differently.
> could you supply me the explain and short explaination why?
> 2. say on the same port, I put two access-list "in" for exmaple,
> how the set of filtering works? specially if it ocntained some conflict
> ie
>
> access-list 105 deny udp any any eq netbios-ns
> .....
> access-list 106 permit udp any any eq netbios-ns
> .....
>
> on e1
> ip access list 105 in
> ip access list 106 in
> -------------------------------
>
> thnx
>
> tatsuya
> ------------------
>
> finally, for the netbios-ns, in order to communicate with other machine,
> both MUST use udp port of 137-139, source and target machine?
>
> If I understand correctly, it seems that source port could be anything,
> all they need is to "talk" to correct service port then target machine
> "will" assign the different port for the target to communicate with the
> target machine.
>
> NOTE:source machine refer to the machine which orginate the negociation
> target machien reger to the machine which " asked" to negociate.
> As usual definition...



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:15 EDT