North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
MAx TNT Filter -- Actual FILTER
- From: Sean Watkins
- Date: Mon Aug 25 23:26:45 2003
Apologize: I know I am posting to multiple lists, but multiple lists
with Ascend users.. none so far have posted and numerous are asking for
it... Including myself! Hopefully recommendations will follow
After several hours of trial and error - after I setup the recommended
Cisco filters upstream from TNT equipment.
I have been constantly watching log entries, to find people blasting
away with ICMP/UDP Port 135/ TCP Port 137 the most.
I have come up a filter, for the TNT:
set filter-name = pre-nachi2
set input-filters 1 valid-entry = yes
set input-filters 1 Type = ip-filter
set input-filters 1 ip-filter protocol = 6
set input-filters 1 ip-filter Dst-Port-Cmp = eql
set input-filters 1 ip-filter dest-port = 135
set input-filters 2 valid-entry = yes
set input-filters 2 Type = ip-filter
set input-filters 2 ip-filter protocol = 17
set input-filters 2 ip-filter Dst-Port-Cmp = eql
set input-filters 2 ip-filter dest-port = 137
set input-filters 3 valid-entry = yes
set input-filters 3 forward = yes
set input-filters 3 Type = ip-filter
set input-filters 3 ip-filter protocol = 1
set input-filters 3 ip-filter dest-address-mask = 255.255.255.255
set input-filters 3 ip-filter dest-address = X.X.X.X
set input-filters 4 valid-entry = yes
set input-filters 4 Type = ip-filter
set input-filters 4 ip-filter protocol = 1
set input-filters 5 valid-entry = yes
set input-filters 5 forward = yes
set input-filters 5 Type = ip-filter
This filter blocks UDP Port 135, tcp port 137, allows ICMP to X.X.X.X,
drops all other ICMP, and then allows any other traffic out.
Basically, X.X.X.X is a machine here we can use to have customers ping
us/ we ping them. This filter seems to work for 90% of people, but for
unknown reasons, ICMP still seems to leak in. Any ideas?
I'm applying this filter to data under answer-defaults, session-info.
I've set iproute-cache-enable = no,
Disabled proxy arp... Everything. Still we are dropping packets at peak
times left right and center for unknown reasons. show ip cache flow on
upstream Cisco gear shows basically regular traffic.
----- Original Message -----
From: "Dave Birkbeck" <firstname.lastname@example.org>
To: "'Tony Bunce'" <email@example.com>; "'Sean Watkins
Sent: Monday, August 25, 2003 7:27 PM
Subject: RE: (RADIATOR) MAx TNT & MSBlast
In addition to having the ACL's that Cisco recommends. Has anyone come
up with a Radius ascend-data-filter that will slow down the spread of
these crazy viruses? Or better yet, a filter that will block ICMP.
Again, I know this is probably not the list for this discussion, but
this topic is definitely for the greater good of the Internet.
That being said does anyone know of a list that discusses various NAS