Hi,
I'm facing an ugly problem right now. One of our customer's machine has
been hacked, and is sending out IP packets with spoofed source addresses
- not "randomly spoofed", but with IPs that are legal for the LAN in
question, and just do not belong to *this* machine, but are currently
unused, or whatever.
I can't switch off the machine (which would be the best approach, of
course, but there is data to be saved and customer executives to be
asked *sigh*).
I would like to filter these crap packets, but I can't see any way to
tell IOS
- for incoming packets from ethernet address aabb.ccdd.eeff, accept
them ONLY if the IP matches 1.2.3.4, and throw away everything else
- for OTHER source ethernet addresses, accept all packets
Bridge access lists can do filtering "by ethernet address", but I see
no way to correlate that to IP addresses (also I'm not sure whether
"filter by ethernet" will work in a purely routed environment).
Environment: Catalyst 5500, CatOS 5.5(13), Cat RSM, IOS 12.0(21a).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:11:58 EDT