Security Basics mailing list archives
Re: Cisco Workaround
From: Paul Kincaid <pkincaid () wareonearth com>
Date: Wed, 23 Jul 2003 20:41:30 -0400
Actually, you need to block all for of the IP Protocols to have complete coverage. The DoS can occur simply by sending 76 packet on a single protocol. However, do not get confused between ports and protocols - what Alvaro is talking about is PORT 53 (UDP) which is not blocked by the below ACL. An ACL to block PORT 53 would look like "access-list 101 deny udp any any eq 53" - that ACL would block all packets destined for a DNS Server. PROTOCOL 53 is "SWIPE - IP with Encryption." They are two seperate concepts. TCP is PROTOCOL 6 and UDP is PROTOCOL 17. But to correct your first statement - you do have to have all of the access-list entries in for PORTOCOLS 53, 55, 77, and 103 on each of the interfaces to completely protect yourself. However, one note, if you already have an access-list in place on an interface and have a final "access-list 101 deny ip any any" or have the default implicit deny in place at the end of the ACL, you are still protected. That "deny ip any any" will stop these packets. To answer your question directly Alvaro, no the access-list defined by Cisco in the Security Advisory will not prevent your DNS servers from updating or query external servers. You are thinking of UDP Port 53, which is not the same as IP Protocol 53. Hope this helps, Paul Kincaid On (07/23/03 15:16), DOUGLAS GULLETT wrote:
To: Alvaro Gordon-Escobar <alvaroge () molecularstaging com> Cc: firewalls () securityfocus com, security-basics () securityfocus com From: DOUGLAS GULLETT <dougg03 () comcast net> Date: Wed, 23 Jul 2003 15:16:28 -0400 Subject: Re: Cisco Workaround X-Mailer: iPlanet Messenger Express 5.2 HotFix 1.16 (built May 14 2003) X-Spam-Status: No, hits=-99.4 required=5.0 tests=FROM_ENDS_IN_NUMS,KNOWN_MAILING_LIST,QUOTED_EMAIL_TEXT, SPAM_PHRASE_00_01,USER_IN_WHITELIST,X_ACCEPT_LANG version=2.44 X-Spam-Level: I don't think you have to put all the access-list in. I believe that the hack requires a certain combination of packets to the four ports, so leaving one or two of them open should still prevent the hack. That might be a good question for Cisco TAC...they should be willing to help even if you "misplaced" your SmartNet contract information. ;-) Doug ----- Original Message ----- From: Alvaro Gordon-Escobar <alvaroge () molecularstaging com> Date: Wednesday, July 23, 2003 10:15 am Subject: Cisco Workaroundwill this access list modification prevent my internal DNS server from updates to it self from my telco's DNS server? access-list 101 deny 53 any any access-list 101 deny 55 any any access-list 101 deny 77 any any access-list 101 deny 103 any any !--- insert any other previously applied ACL entries here !--- you must permit other protocols through to allow normal !--- traffic -- previously defined permit lists will work !--- or you may use the permit ip any any shown here access-list 101 permit ip any any Thanks in advance ~alvaro Escobar ------------------------------------------------------------------- -------- ------------------------------------------------------------------- ---------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Cisco Workaround jamesworld (Jul 23)
- RE: Cisco Workaround Ghaith Nasrawi (Jul 25)
- RE: Cisco Workaround (comment on actually using those protocols) jamesworld (Jul 28)
- RE: Cisco Workaround David Gillett (Jul 28)
- <Possible follow-ups>
- RE: Cisco Workaround Naman Latif (Jul 23)
- RE: Cisco Workaround Todd Mitchell - lists (Jul 23)
- RE: Cisco Workaround Charlie Winckless (Jul 23)
- Re: Cisco Workaround DOUGLAS GULLETT (Jul 23)
- RE: Cisco Workaround Terry Baranski (Jul 24)
- Re: Cisco Workaround Paul Kincaid (Jul 24)
- RE: Cisco Workaround Dave Gilmore (Intrusense) (Jul 24)
- Re: Cisco Workaround Kurt Seifried (Jul 24)
- RE: Cisco Workaround David Gillett (Jul 24)
- RE: Cisco Workaround Wolfpaw - Dale Corse (Jul 24)
- RE: Cisco Workaround Byrne Ghavalas (Jul 24)
- Re: Cisco Workaround john (Jul 24)
- Re: Cisco Workaround joshua sahala (Jul 24)
- Re: Cisco Workaround Jac (Jul 24)
- Re: Cisco Workaround Luis Enrique Londono (Jul 23)
- Re: Cisco Workaround bryan_khoo (Jul 24)
(Thread continues...)
- RE: Cisco Workaround Ghaith Nasrawi (Jul 25)