Solved

Router Access List to Block Destination Private IP plus Blaster!

Posted on 2004-04-06
14
1,264 Views
Last Modified: 2013-11-29
Greetings everyone. I monitored ip cache flow on my router and noticed that there are packets having destination of private IP although everything should be pointing to my proxy as destination. On checking further I found that it was blaster that was getting through although I had already put an access list on the router. The source IP is also strange because its a block of ips increasing by 1 like:

x:x:x:20
x:x:x:21
x:x:x:22

How i can block this? The access-list i have is something like this
access-list 110 deny   tcp any any eq 445
access-list 110 deny   tcp any any eq 444
access-list 110 deny   tcp any any eq 135
access-list 110 deny   tcp any any eq 136
access-list 110 deny   tcp any any eq 138
access-list 110 deny   tcp any any eq 139
access-list 110 deny   tcp any any eq 137
access-list 110 deny   tcp any any eq 4444
access-list 110 deny   tcp any any eq 5324
access-list 110 deny   tcp any any eq 3127
access-list 110 deny   tcp any any eq 3198
access-list 110 deny   udp any any eq 5324
access-list 110 deny   udp any any eq 135
access-list 110 deny   udp any any eq 136
access-list 110 deny   udp any any eq 139
access-list 110 deny   udp any any eq 138
access-list 110 deny   udp any any eq 137
access-list 110 deny   udp any any eq 144
access-list 110 deny   udp any any eq 145
access-list 110 permit ip any any
0
Comment
Question by:KevoZam
  • 5
  • 4
  • 3
  • +2
14 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10765372
Deny ICMP echo requests going out and it will help:

access-list 110 deny icmp any any echo

if you want yourself to be able to ping/traceroute for troubleshooting purposes, be sure to permit your IP's first

Where are you applying this access-list? To the Ethernet "in" ?
0
 

Author Comment

by:KevoZam
ID: 10766381
Hi lrmoore. I have an E1 with my ISP so i have put the access-list on my serial I have put it as in and out and by the way the access-list has another line:
   access-list 110 deny ip any 192.168.0.0 0.0.255.255
On checking the cache flow i am getting matches to this specific line plus a few of the other lines but I am still getting destination IPs of 192.x.x.x. meaning blaster is still getting in somehow. Does this mean that it is a ping/trace as you say? Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10766621
Typically a ping trace, yes.

Suggest moving the acl from the serial "out" to the Ethernet "in"
0
 

Expert Comment

by:mzelinka
ID: 10766777
Try do access-list "reverse" like: (its more secure like your version)
access-list 100 pernit tcp host xxxx any 80
access-list 100 pernit tcp host xxxx any 21
access-list 100 deny any any

or try

access-list 110 permit ip any any log
and if you dont have huge traffic you can see what traffic go throught accesss-list
with show logging command.
you can turn on logging by logging buffered command
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 10770201
lrmoore:  E1 *is* serial -- IIRC, T1 = 24x64K and E1 = 32x64K.  About 2Mbps.  (My impression is that North American Telcos prefer to deal in T1s and European ones in E1s.)

KevoZam: Any cahnce that someone has plugged an infected laptop into your network?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10770358
PennGwyn,
Thanks for the lesson, but I *know* all about E1/T1's
I only mentioned serial interface without regard to what connected to that interface because it doesn't matter.

Bottom line: move the access-list to the LAN-facing Ethernet interface "in", not on the Serial "out"
0
 

Author Comment

by:KevoZam
ID: 10772290
Hi I tried putting the access-list to block echo as suggested still my cache flow shows the same packets getting in. My access-list now looks like this:

access-list 110 deny   tcp any any eq 135                                      
access-list 110 deny   tcp any any eq 136                                      
access-list 110 deny   tcp any any eq 137                                      
access-list 110 deny   tcp any any eq 138                                      
access-list 110 deny   tcp any any eq 139                                      
access-list 110 deny   tcp any any eq 444                                      
access-list 110 deny   tcp any any eq 445                                      
access-list 110 deny   tcp any any eq 4444                                      
access-list 110 deny   tcp any any eq 3127                                      
access-list 110 deny   tcp any any eq 5324                                      
access-list 110 deny   tcp any any eq 3198                                      
access-list 110 deny   udp any any eq 135                                      
access-list 110 deny   udp any any eq 136                                      
access-list 110 deny   udp any any eq netbios-ns                                
access-list 110 deny   udp any any eq netbios-dgm                              
access-list 110 deny   udp any any eq netbios-ss                                
access-list 110 deny   udp any any eq 144                                      
access-list 110 deny   udp any any eq 145                                      
access-list 110 permit ip x.x.x.x (my ip) any                                                        
access-list 110 deny icmp any any echo                                        
access-list 110 deny ip any 192.168.0.0 0.0.255.255                          
access-list 110 permit ip any any



Part of my Ip cache flow looks like this. Note only the last digit on the source address is changing on the source IP

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP                Pckts

Se1/0:0.9     81.66.15.17     Fa0/0         192.168.18.128  06 0087 0B4E        1
Se1/0:0.9     81.66.15.18     Fa0/0         192.168.18.128  06 0087 0B4F         1
Se1/0:0.9     81.66.15.16     Fa0/0         192.168.18.128  06 0087 0B4D         1
Se1/0:0.9     81.66.15.9      Fa0/0         192.168.18.128  06 0087 0B46         1
Se1/0:0.9     81.66.15.10     Fa0/0         192.168.18.128  06 0087 0B47        1
Se1/0:0.9     81.66.15.8      Fa0/0         192.168.18.128  06 0087 0B45         1
Se1/0:0.9     81.66.15.13     Fa0/0         192.168.18.128  06 0087 0B4A         1
Se1/0:0.9     81.66.15.5      Fa0/0         192.168.18.128  06 0087 0B42           1
Se1/0:0.9     81.66.15.20     Fa0/0         192.168.18.128  06 0087 0B51          1

Any ideas? a show access-list shows the following:

  Extended IP access list 110                                                    
    deny tcp any any eq 135 (663 matches)                                      
    deny tcp any any eq 136                                                    
    deny tcp any any eq 137                                                    
    deny tcp any any eq 138                                                    
    deny tcp any any eq 139 (7 matches)                                        
    deny tcp any any eq 444                                                    
    deny tcp any any eq 445 (168 matches)                                      
    deny tcp any any eq 4444                                                    
    deny tcp any any eq 3127 (159 matches)                                      
    deny tcp any any eq 5324                                                    
    deny tcp any any eq 3198 (65 matches)                                      
    deny udp any any eq 135                                                    
    deny udp any any eq 136                                                    
    deny udp any any eq netbios-ns (327 matches)                                
    deny udp any any eq netbios-dgm (13 matches)                                
    deny udp any any eq netbios-ss                                              
    deny udp any any eq 144                                                    
    deny udp any any eq 145                                                    
    permit ip x.x.x.x(my ip) any  (243316 matches)                          
    deny icmp any any echo (3462 matches)                                      
    deny ip any 192.168.0.0 0.0.255.255 (236468 matches)                        
    permit ip any any (774170 matches)    


Thanks.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:KevoZam
ID: 10772335
hi PennGwyn, yes it could be someone has an infected laptop or machine but im trying to also prevent blaster from getting in at all. The router is getting matches to the access-list so the acl is working but what i dont understand is how i am getting packets from outside destined for my network private IPsregardless of the acl i have put in. Any ideas? Thanks
0
 

Expert Comment

by:mzelinka
ID: 10772681
And access-list is applied on interface E1 in ?
0
 

Author Comment

by:KevoZam
ID: 10772848
hi mzelinka, it is on the serial in. The router has an E1 controller so the serail has
   ip access-group 110 in
   ip access-group 110 out
0
 

Expert Comment

by:mzelinka
ID: 10773225
no idea :-(, try configure two access-list one for IN one for OUT...
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 80 total points
ID: 10773874
Please, take access-list 110 off of the serial E1 interface and apply it "in" only to the Ethernet interface.

This looks like the infected machine.
>192.168.18.128  
0
 

Author Comment

by:KevoZam
ID: 10956776
sorry for the delay guys. I re-specified my access-list and placed it at Eth0/0 in and now the blaster's Destination is null so looks like its getting dumped. Thank you all
0
 

Expert Comment

by:sponyz
ID: 11231046
Put this access-group on your E0 as ( in )
& you will get better preformace up to 50%

    deny tcp any any eq 3531 (31489 matches)
    deny tcp any any eq 1214 (27452 matches)
    deny tcp any any eq 6346 (3601 matches)
    deny tcp any any eq 6347 (4 matches)
    deny tcp any any eq 6667
    deny tcp any any eq 1433
    deny tcp host 192.168.11.111 any gt 5050
    deny tcp any any range 4444 4700 (553 matches)
    deny udp host 192.168.11.111 any gt 5050
    deny udp any any range netbios-ns netbios-ss (43640 matches)
    deny udp any any eq 6347
    deny udp any any eq 1900 (32629 matches)
    deny udp any any eq discard (242 matches)
    deny ip any 192.168.0.0 0.0.255.255 (9872 matches)
    deny ip any 172.16.0.0 0.15.255.255
    deny ip any 10.0.0.0 0.255.255.255 (17 matches)
    permit icmp 62.xx.0.0 0.0.255.255 62.xx.0.0 0.0.255.255
    permit ip any any (1452496 matches)

    this is 3 days traffic log .
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now