[c-nsp] 6500 under DDoS
Stephen J. Wilcox
steve at telecomplete.co.uk
Tue Jul 27 17:04:11 EDT 2004
On Tue, 27 Jul 2004, Blaz Zupan wrote:
> What I just now found out is, that they had "ip nbar protocol-discovery"
> configured, which is definitely software switched. They have now turned it off.
yeah, that'll be it then
> We'll see what happens when the next DDoS comes. Does anybody on the list
> have a botnet under their control, so we can perform a test? :-)
for sure, altho theyre not likely to post :)
> Here are their ACLs:
I would personally suggest these are not things you want to be controlling at
your border, but that depends what type of org they are.. the traffic on these
ports is very low and is better done next to the users.
check this page to ensure they're not processing the acl in software:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml
Steve
>
> ip access-list extended BORDER-INP
> deny udp any any range 1433 1434
> deny tcp any any eq 5554
> deny tcp any any eq 9996
> deny tcp any any eq 445
> permit ip any any
>
> ip access-list extended BORDER-OUT
> deny udp any any range 1433 1434
> deny udp any any eq snmp
> deny tcp any any eq 5554
> deny tcp any any eq 9996
> deny tcp any any eq 445
> permit ip any any
>
> And here is the interface towards us:
>
> interface GigabitEthernet5/2
> ip address x.x.x.x 255.255.255.252
> ip access-group BORDER-INP in
> ip access-group BORDER-OUT out
> load-interval 30
> no cdp enable
>
> And here is the interface towards their core:
>
> interface GigabitEthernet5/1
> no ip address
> load-interval 30
> switchport
> switchport access vlan 99
>
> interface Vlan99
> ip address i.i.i.i 255.255.255.248
> no ip igmp snooping explicit-tracking
> no ipv6 mld snooping explicit-tracking
> no ipv6 mld snooping
>
>
More information about the cisco-nsp
mailing list