Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: filtering whitehouse.gov?

  • From: Jon O .
  • Date: Sat Jul 21 18:47:25 2001

I understand your need to do something like this, but you are 
essentially causing the worm to fulfill it's goal and
censoring your customers. I worried that many people would do this. 

Why not just use outbound Cisco ACLs on your CPE, Core, and Border
routers to permit and log the traffic to the one IP address being
attacked and them contact the people who have hacked machines? Or,
if you must use the ACLs to deny the packets with the goal of
identifing machines and getting them fixed.

Here is another email:

CAUTION: Misused ACLs can blow up your hardare. This could fill your 
syslog server with logged packets. 

This ACL will have to be applied on an interface in an outbound 
direction. 
 
So, to permit the traffic and log it do this:

interface s0/0
ip access-group 199 out


access-list 199 permit tcp any host 198.137.240.91 eq 80 log
access-list 199 permit tcp any host 198.137.240.92 eq 80 log

You should already be logging packets to a syslog server. 

To make deny rules just change the permit to deny. However, this is 
kind of drastic and almost amounts to censorship. 



On 22-Jul-2001, Sabri Berisha wrote:
> 
> Hi all,
> 
> A couple of days ago I mentioned here that I have nullrouted the IP which
> whitehouse.gov resolves to. After that I received some mail in private
> mentioning not only the fact that I filtered the wrong IP (that's fixt
> now) but also the dangers of posting about such a thing here. "Hey, he
> nullroutes them, let's do it too!".
> 
> My decision to nullroute whitehouse.gov was based on the following:
> 
> - the traceroute from my net to whitehouse.gov goes through AT&T which
> means that any DoS packets originating from our network will affect that
> network too;
> 
> - my customerbase is not that type that would visit whitehouse.gov
> frequently nor would whitehouse.gov (if coming from that IP as a source)
> be interested in any of my customers;
> 
> - most of the boxes in our network have a 100mbit/s nic in their box. Our
> main uplink is a STM-1 at the moment so if a colocated NT box would be
> compromised, that would give a huge effect. Imagine what would happen if 2
> or three boxes are infected.
> 
> After careful consideration we (our engineering team and the CEO) decided
> we would not want to be a part of any attacks against the US government or
> any other network.
> 
> If you have any reasons to believe you need to blackhole whitehouse.gov
> please do so, but don't blackhole just because others do it as well.
> 
> -- 
> /* Sabri Berisha CCNA,BOFH,+iO        O.O        speaking for just myself
>  * Join HAL!!: www.HAL2001.org ____oOo_U_oOo____ http://www.bit.nl/~sabri
>  *  "We deliver quality services, we just can't get it on the internet"
>  *   Anonymous sysadmin - on IRC                                       */
> 

Attachment: pgp00015.pgp
Description: PGP signature




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.