[c-nsp] access lists for cpe protection

Mike mike-cisconsplist at tiedyenetworks.com
Fri Feb 28 13:35:50 EST 2014 

Hello,

     I serve lots of residential subscribers and it's apparent that home 
user oriented CPE gear is just getting stupider, less secure, more 
vulnerable, more exploited as time goes on. I have implemented a basic 
filter designed to protect CPE from remote exploitation and generally 
the list includes denial of any access of the cpe on web, dns, snmp and 
other abusable service ports.

     My question is one of efficiency of the acl itself. I currently 
have one permit or deny per line, but the ip access-list extended 
command will allow multiple matches per line. I am wondering whether 
there is anything to gain by rewriting the acl to take advantage of this 
fact.

My current ACL is as follows:

ip access-list extended myaccesslist
  remark applies to inbound from internet to customer
  permit udp host x.x.x.x any eq domain
  permit udp host y.y.y.y any eq domain
  permit tcp host x.x.x.x any eq domain
  permit tcp host y.y.y.y any eq domain
  permit udp host g.g.g.g any eq domain
  permit tcp host g.g.g.g any eq domain
  permit udp host z.z.z.z any eq domain
  permit tcp host z.z.z.z any eq domain
  deny   tcp any any eq telnet
  deny   tcp any any eq smtp
  deny   tcp any any eq ftp
  deny   tcp any any eq domain
  deny   tcp any any eq www
  deny   tcp any any eq 22
  deny   udp any any eq domain
  deny   udp any any eq bootps
  deny   udp any any eq snmp
  deny   udp any any eq snmptrap
  deny   udp any any eq syslog
  deny   udp any any eq tftp
  deny   udp any any eq netbios-ns
  deny   udp any any eq netbios-dgm
  deny   udp any any eq netbios-ss
  permit ip any any

     I am currently catching a wide ranging dns attack that has tens of 
thousands of different ip addresses all trying to talk to some number of 
my CPE's, asking nonsensical dns questions which then result in a flood 
from my recursive resolvers to the poor sap owing those names.  One 
problem is that some cpe like to send dns queries FROM port 53, making 
the responses come back on port 53, which means I can't effectively 
filter out random internet hosts trying to use my cpe for dns proxy, 
except via the above 6 lines.

     So my question is, can I optimize this to reduce router load? Oh, I 
have this on 7201.

Mike-

More information about the cisco-nsp mailing list