Re: Cisco Workaround

[Paul Kincaid <pkincaid () wareonearth com>]

Actually, you need to block all for of the IP Protocols to have complete
coverage.  The DoS can occur simply by sending 76 packet on a single
protocol.

However, do not get confused between ports and protocols - what Alvaro
is talking about is PORT 53 (UDP) which is not blocked by the below ACL.
An ACL to block PORT 53 would look like "access-list 101 deny udp any
any eq 53" - that ACL would block all packets destined for a DNS Server.
PROTOCOL 53 is "SWIPE - IP with Encryption."  They are two seperate
concepts.  TCP is PROTOCOL 6 and UDP is PROTOCOL 17.

But to correct your first statement - you do have to have all of the
access-list entries in for PORTOCOLS 53, 55, 77, and 103 on each of the
interfaces to completely protect yourself.  However, one note, if you
already have an access-list in place on an interface and have a final
"access-list 101 deny ip any any" or have the default implicit deny
in place at the end of the ACL, you are still protected.  That "deny ip
any any" will stop these packets.

To answer your question directly Alvaro, no the access-list defined by
Cisco in the Security Advisory will not prevent your DNS servers from
updating or query external servers.  You are thinking of UDP Port 53,
which is not the same as IP Protocol 53.

Hope this helps,
Paul Kincaid

On (07/23/03 15:16), DOUGLAS GULLETT wrote:
> To: Alvaro Gordon-Escobar <alvaroge () molecularstaging com>
> Cc: firewalls () securityfocus com, security-basics () securityfocus com
> From: DOUGLAS GULLETT <dougg03 () comcast net>
> Date: Wed, 23 Jul 2003 15:16:28 -0400
> Subject: Re: Cisco Workaround
> X-Mailer: iPlanet Messenger Express 5.2 HotFix 1.16 (built May 14 2003)
> X-Spam-Status: No, hits=-99.4 required=5.0
>       tests=FROM_ENDS_IN_NUMS,KNOWN_MAILING_LIST,QUOTED_EMAIL_TEXT,
>             SPAM_PHRASE_00_01,USER_IN_WHITELIST,X_ACCEPT_LANG
>       version=2.44
> X-Spam-Level: 
>
> I don't think you have to put all the access-list in.  I believe that 
> the hack requires a certain combination of packets to the four ports, 
> so leaving one or two of them open should still prevent the hack.  That 
> might be a good question for Cisco TAC...they should be willing to help 
> even if you "misplaced" your SmartNet contract information.  ;-)
>
> Doug
>
>
>
> ----- Original Message -----
> From: Alvaro Gordon-Escobar <alvaroge () molecularstaging com>
> Date: Wednesday, July 23, 2003 10:15 am
> Subject: Cisco Workaround
>
> > will this access list modification prevent my internal DNS server 
> > from updates to it self from my telco's DNS server?
> >
> > access-list 101 deny 53 any any
> > access-list 101 deny 55 any any
> > access-list 101 deny 77 any any
> > access-list 101 deny 103 any any
> > !--- insert any other previously applied ACL entries here
> > !--- you must permit other protocols through to allow normal
> > !--- traffic -- previously defined permit lists will work
> > !--- or you may use the permit ip any any shown here
> > access-list 101 permit ip any any
> >
> > Thanks in advance
> >
> > ~alvaro Escobar
> >
> > -------------------------------------------------------------------
> > --------
> > -------------------------------------------------------------------
> > ---------

---------------------------------------------------------------------------
----------------------------------------------------------------------------