Security Basics mailing list archives
Re: Cisco Workaround
From: Jac <jac_des_vert () yahoo com>
Date: Thu, 24 Jul 2003 03:40:07 -0700 (PDT)
The list stated is what Cisco recommends in thier work around for the transit ACL. The exploit for this has already come out and they state that you don't need any combinations, just 76 packets of one of the protocols. I gave it a quick read through and you can find it at: http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-07/0703.html Take a look, it may help you refine the ACLs that you want. Jac --- DOUGLAS GULLETT <dougg03 () comcast net> wrote:
I don't think you have to put all the access-list in. I believe that the hack requires a certain combination of packets to the four ports, so leaving one or two of them open should still prevent the hack. That might be a good question for Cisco TAC...they should be willing to help even if you "misplaced" your SmartNet contract information. ;-) Doug ----- Original Message ----- From: Alvaro Gordon-Escobar <alvaroge () molecularstaging com> Date: Wednesday, July 23, 2003 10:15 am Subject: Cisco Workaroundwill this access list modification prevent myinternal DNS serverfrom updates to it self from my telco's DNSserver?access-list 101 deny 53 any any access-list 101 deny 55 any any access-list 101 deny 77 any any access-list 101 deny 103 any any !--- insert any other previously applied ACLentries here!--- you must permit other protocols through toallow normal!--- traffic -- previously defined permit listswill work!--- or you may use the permit ip any any shownhereaccess-list 101 permit ip any any Thanks in advance ~alvaro Escobar
-------------------------------------------------------------------
--------
-------------------------------------------------------------------
---------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
__________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Cisco Workaround, (continued)
- Re: Cisco Workaround DOUGLAS GULLETT (Jul 23)
- RE: Cisco Workaround Terry Baranski (Jul 24)
- Re: Cisco Workaround Paul Kincaid (Jul 24)
- RE: Cisco Workaround Dave Gilmore (Intrusense) (Jul 24)
- Re: Cisco Workaround Kurt Seifried (Jul 24)
- RE: Cisco Workaround David Gillett (Jul 24)
- RE: Cisco Workaround Wolfpaw - Dale Corse (Jul 24)
- RE: Cisco Workaround Byrne Ghavalas (Jul 24)
- Re: Cisco Workaround john (Jul 24)
- Re: Cisco Workaround joshua sahala (Jul 24)
- Re: Cisco Workaround Jac (Jul 24)
- Re: Cisco Workaround Luis Enrique Londono (Jul 23)
- Re: Cisco Workaround bryan_khoo (Jul 24)
- RE: Cisco Workaround dave kleiman (Jul 24)
- Re: Cisco Workaround igenge2 (Jul 24)
- Re: Cisco Workaround Stephane Nasdrovisky (Jul 24)
- RE: Cisco Workaround Jofre, Sebastian (Jul 24)
- RE: Cisco Workaround Tim Donahue (Jul 28)
- RE: Cisco Workaround Ghaith Nasrawi (Jul 28)
- RE: Cisco Workaround Noonan, Wesley (Jul 28)
- RE: Cisco Workaround Martin, Olivier (Jul 28)
(Thread continues...)
- Re: Cisco Workaround DOUGLAS GULLETT (Jul 23)