[nsp] unicast RPF for IP/ARP relation?

From: Gert Doering (gert@greenie.muc.de)
Date: Sun Jun 02 2002 - 12:31:45 EDT


Hi,

I'm facing an ugly problem right now. One of our customer's machine has
been hacked, and is sending out IP packets with spoofed source addresses
- not "randomly spoofed", but with IPs that are legal for the LAN in
question, and just do not belong to *this* machine, but are currently
unused, or whatever.

I can't switch off the machine (which would be the best approach, of
course, but there is data to be saved and customer executives to be
asked *sigh*).

I would like to filter these crap packets, but I can't see any way to
tell IOS

 - for incoming packets from ethernet address aabb.ccdd.eeff, accept
   them ONLY if the IP matches 1.2.3.4, and throw away everything else

 - for OTHER source ethernet addresses, accept all packets

Bridge access lists can do filtering "by ethernet address", but I see
no way to correlate that to IP addresses (also I'm not sure whether
"filter by ethernet" will work in a purely routed environment).

Environment: Catalyst 5500, CatOS 5.5(13), Cat RSM, IOS 12.0(21a).

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert@greenie.muc.de
fax: +49-89-35655025                        gert.doering@physik.tu-muenchen.de



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:11:58 EDT