[nsp] Cat3750G, IP ACL filtering

Gert Doering gert at greenie.muc.de
Sat Mar 6 05:53:37 EST 2004 

Hi,

this thing is seriously trying to drive me nuts...

Cat3750G-24TS, c3750-i5-mz.121.14-EA1.bin

Customer connected to a directly routed GigE port.  Customer has a
windows machine, windows machine is infected with the "worm of the week"
(gracious LART *will* be applied) and is happily portscanning.

To stop the scanning while still letting the machine fulfill its
normal service, I try to setup an ACL, denying tcp/445.

interface GigabitEthernet1/0/6
 no switchport
 ip address 195.30.xx.xx 255.255.255.248
 ip access-group 150 in
 ip verify unicast reverse-path
 ip route-cache flow
 mdix auto
end

access-list 150 deny   tcp host 195.30.xx.yy any eq 135
access-list 150 deny   udp host 195.30.xx.yy any range netbios-ns netbios-dgm
access-list 150 permit tcp any any established
access-list 150 permit ip any any log

I can see lots of traffic on the interface:

     99096 packets input, 6773292 bytes, 0 no buffer

... but few-if-any hits on the ACL...

M15-Switch6#sh access-list 150
Extended IP access list 150
    deny tcp host 195.30.xx.yy any eq 135
    deny udp host 195.30.xx.yy any range netbios-ns netbios-dgm (1969 matches)
    permit tcp any any established
    permit ip any any log

(those are all local windows broadcasts)

... and the flow cache is also not populated at all ("show ip cache flow"
yields *no* output).


The machine *is* scanning like hell - I've put a filter on the next
router upstream, and it has caught *quite* some packets in the last 5
minutes:

Cisco-M#sh access-list 150
Extended IP access list 150
    10 deny tcp host 195.30.xx.yy any eq 135
    20 deny tcp host 195.30.xx.yy any eq 445 (39496 matches)
    30 deny tcp host 195.30.xx.yy any eq 139 (3111 matches)
    40 permit tcp any any established (163325 matches)
    50 permit ip host 195.30.xx.yy any log
    60 permit ip any any (59813 matches)

... but obviously the 3750G is another Cisco masterpiece: accept all the
normal commands, but blissfully ignore them.

I just HATE it if they do this.  They could at least print a message
"access-list ignored" or "netflow not supported on this platform".


Anyway.  There must be a way to filter "junk" packets on the 3750G as
well.  Any recommendations *how* to do this?  Using QoS/MCQ classes?

Is there a way to get this box to track what kind of packets it's
observing (netflow / ACL logging), or do you have to guess port numbers
and then setup MCQ for those?

Thanks for any help,

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

More information about the cisco-nsp mailing list