Re: filtering whitehouse.gov?

[Sabri Berisha <sabri () bit nl>]

On Sat, 21 Jul 2001, Jon O . wrote:

> I understand your need to do something like this, but you are
> essentially causing the worm to fulfill it's goal and
> censoring your customers. I worried that many people would do this.

> Why not just use outbound Cisco ACLs on your CPE, Core, and Border
> routers to permit and log the traffic to the one IP address being
> attacked and them contact the people who have hacked machines? Or,
> if you must use the ACLs to deny the packets with the goal of
> identifing machines and getting them fixed.

Outbound ACL's are an option but then you would have to be sure that they
are sending the packets to port 80.

> access-list 199 permit tcp any host 198.137.240.91 eq 80 log
> access-list 199 permit tcp any host 198.137.240.92 eq 80 log
>
> You should already be logging packets to a syslog server.

We already log every packet coming by on a machine which counts the
traffic so any infected box will be identified soon.

> To make deny rules just change the permit to deny. However, this is
> kind of drastic and almost amounts to censorship.

Censorship is a way to see it, I prefer to call it operational prevention
of a DoS attack. The risk of "censoring" two IP's over DoS'ing an entire
network is one I can explain to angry customers (if there are any).

-- 
/* Sabri Berisha CCNA,BOFH,+iO        O.O        speaking for just myself
 * Join HAL!!: www.HAL2001.org ____oOo_U_oOo____ http://www.bit.nl/~sabri
 *  "We deliver quality services, we just can't get it on the internet"
 *   Anonymous sysadmin - on IRC                                       */