[c-nsp] Simple ACL not working 7600
Frank Bulk
frnkblk at iname.com
Mon Aug 4 20:17:50 EDT 2014
We're getting data feeds that lately have been indicating that our
residential subscribers (about 12%) have open SSDP services on their routers
that allow for UDP reflection/amplification attacks.
I applied an ACL on our CMTS last week and that was very effective in
resolving that gap, but I've not had the same success for those subscribers
hanging off our 7609-S.
Using a very simple perl command provided by one of those data feeds I can
reproduce the attack:
perl -e 'print "M-SEARCH *
HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:upnp:rootdevice\r\nMan:\"ssdp:di
scover\"\r\nMX:3\r\n"' > /dev/udp/%IP_address%/1900
I use tcpdump on my host to see the packet exchange.
I updated our existing ACL on one of the VLAN interfaces, but that didn't
work. I then stripped it down to its barest components:
no access-list 128
access-list 128 deny udp any any eq 1900
access-list 128 permit ip any any
but that also didn't work.
"show access-list 128" doesn't show any matches.
==============================================
Mutual_7609#show access-lists 128
Extended IP access list 128
10 deny udp any any eq 1900
20 permit ip any any (349 matches)
Mutual_7609#
Mutual_7609#show tcam interface vlan 40 acl in ip
* Global Defaults not shared
Entries from Bank 0
deny udp any any eq 1900
permit ip any any
Entries from Bank 1
Mutual_7609#
==============================================
We have lots of TCAM resources. Any idea why this isn't working?
We're running IOS 15.2(4)S5.
Regards,
Frank Bulk
More information about the cisco-nsp
mailing list