• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1274
  • Last Modified:

Router Access List to Block Destination Private IP plus Blaster!

Greetings everyone. I monitored ip cache flow on my router and noticed that there are packets having destination of private IP although everything should be pointing to my proxy as destination. On checking further I found that it was blaster that was getting through although I had already put an access list on the router. The source IP is also strange because its a block of ips increasing by 1 like:

x:x:x:20
x:x:x:21
x:x:x:22

How i can block this? The access-list i have is something like this
access-list 110 deny   tcp any any eq 445
access-list 110 deny   tcp any any eq 444
access-list 110 deny   tcp any any eq 135
access-list 110 deny   tcp any any eq 136
access-list 110 deny   tcp any any eq 138
access-list 110 deny   tcp any any eq 139
access-list 110 deny   tcp any any eq 137
access-list 110 deny   tcp any any eq 4444
access-list 110 deny   tcp any any eq 5324
access-list 110 deny   tcp any any eq 3127
access-list 110 deny   tcp any any eq 3198
access-list 110 deny   udp any any eq 5324
access-list 110 deny   udp any any eq 135
access-list 110 deny   udp any any eq 136
access-list 110 deny   udp any any eq 139
access-list 110 deny   udp any any eq 138
access-list 110 deny   udp any any eq 137
access-list 110 deny   udp any any eq 144
access-list 110 deny   udp any any eq 145
access-list 110 permit ip any any
0
KevoZam
Asked:
KevoZam
  • 5
  • 4
  • 3
  • +2
1 Solution
 
lrmooreCommented:
Deny ICMP echo requests going out and it will help:

access-list 110 deny icmp any any echo

if you want yourself to be able to ping/traceroute for troubleshooting purposes, be sure to permit your IP's first

Where are you applying this access-list? To the Ethernet "in" ?
0
 
KevoZamAuthor Commented:
Hi lrmoore. I have an E1 with my ISP so i have put the access-list on my serial I have put it as in and out and by the way the access-list has another line:
   access-list 110 deny ip any 192.168.0.0 0.0.255.255
On checking the cache flow i am getting matches to this specific line plus a few of the other lines but I am still getting destination IPs of 192.x.x.x. meaning blaster is still getting in somehow. Does this mean that it is a ping/trace as you say? Thanks
0
 
lrmooreCommented:
Typically a ping trace, yes.

Suggest moving the acl from the serial "out" to the Ethernet "in"
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
mzelinkaCommented:
Try do access-list "reverse" like: (its more secure like your version)
access-list 100 pernit tcp host xxxx any 80
access-list 100 pernit tcp host xxxx any 21
access-list 100 deny any any

or try

access-list 110 permit ip any any log
and if you dont have huge traffic you can see what traffic go throught accesss-list
with show logging command.
you can turn on logging by logging buffered command
0
 
PennGwynCommented:
lrmoore:  E1 *is* serial -- IIRC, T1 = 24x64K and E1 = 32x64K.  About 2Mbps.  (My impression is that North American Telcos prefer to deal in T1s and European ones in E1s.)

KevoZam: Any cahnce that someone has plugged an infected laptop into your network?

0
 
lrmooreCommented:
PennGwyn,
Thanks for the lesson, but I *know* all about E1/T1's
I only mentioned serial interface without regard to what connected to that interface because it doesn't matter.

Bottom line: move the access-list to the LAN-facing Ethernet interface "in", not on the Serial "out"
0
 
KevoZamAuthor Commented:
Hi I tried putting the access-list to block echo as suggested still my cache flow shows the same packets getting in. My access-list now looks like this:

access-list 110 deny   tcp any any eq 135                                      
access-list 110 deny   tcp any any eq 136                                      
access-list 110 deny   tcp any any eq 137                                      
access-list 110 deny   tcp any any eq 138                                      
access-list 110 deny   tcp any any eq 139                                      
access-list 110 deny   tcp any any eq 444                                      
access-list 110 deny   tcp any any eq 445                                      
access-list 110 deny   tcp any any eq 4444                                      
access-list 110 deny   tcp any any eq 3127                                      
access-list 110 deny   tcp any any eq 5324                                      
access-list 110 deny   tcp any any eq 3198                                      
access-list 110 deny   udp any any eq 135                                      
access-list 110 deny   udp any any eq 136                                      
access-list 110 deny   udp any any eq netbios-ns                                
access-list 110 deny   udp any any eq netbios-dgm                              
access-list 110 deny   udp any any eq netbios-ss                                
access-list 110 deny   udp any any eq 144                                      
access-list 110 deny   udp any any eq 145                                      
access-list 110 permit ip x.x.x.x (my ip) any                                                        
access-list 110 deny icmp any any echo                                        
access-list 110 deny ip any 192.168.0.0 0.0.255.255                          
access-list 110 permit ip any any



Part of my Ip cache flow looks like this. Note only the last digit on the source address is changing on the source IP

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP                Pckts

Se1/0:0.9     81.66.15.17     Fa0/0         192.168.18.128  06 0087 0B4E        1
Se1/0:0.9     81.66.15.18     Fa0/0         192.168.18.128  06 0087 0B4F         1
Se1/0:0.9     81.66.15.16     Fa0/0         192.168.18.128  06 0087 0B4D         1
Se1/0:0.9     81.66.15.9      Fa0/0         192.168.18.128  06 0087 0B46         1
Se1/0:0.9     81.66.15.10     Fa0/0         192.168.18.128  06 0087 0B47        1
Se1/0:0.9     81.66.15.8      Fa0/0         192.168.18.128  06 0087 0B45         1
Se1/0:0.9     81.66.15.13     Fa0/0         192.168.18.128  06 0087 0B4A         1
Se1/0:0.9     81.66.15.5      Fa0/0         192.168.18.128  06 0087 0B42           1
Se1/0:0.9     81.66.15.20     Fa0/0         192.168.18.128  06 0087 0B51          1

Any ideas? a show access-list shows the following:

  Extended IP access list 110                                                    
    deny tcp any any eq 135 (663 matches)                                      
    deny tcp any any eq 136                                                    
    deny tcp any any eq 137                                                    
    deny tcp any any eq 138                                                    
    deny tcp any any eq 139 (7 matches)                                        
    deny tcp any any eq 444                                                    
    deny tcp any any eq 445 (168 matches)                                      
    deny tcp any any eq 4444                                                    
    deny tcp any any eq 3127 (159 matches)                                      
    deny tcp any any eq 5324                                                    
    deny tcp any any eq 3198 (65 matches)                                      
    deny udp any any eq 135                                                    
    deny udp any any eq 136                                                    
    deny udp any any eq netbios-ns (327 matches)                                
    deny udp any any eq netbios-dgm (13 matches)                                
    deny udp any any eq netbios-ss                                              
    deny udp any any eq 144                                                    
    deny udp any any eq 145                                                    
    permit ip x.x.x.x(my ip) any  (243316 matches)                          
    deny icmp any any echo (3462 matches)                                      
    deny ip any 192.168.0.0 0.0.255.255 (236468 matches)                        
    permit ip any any (774170 matches)    


Thanks.
0
 
KevoZamAuthor Commented:
hi PennGwyn, yes it could be someone has an infected laptop or machine but im trying to also prevent blaster from getting in at all. The router is getting matches to the access-list so the acl is working but what i dont understand is how i am getting packets from outside destined for my network private IPsregardless of the acl i have put in. Any ideas? Thanks
0
 
mzelinkaCommented:
And access-list is applied on interface E1 in ?
0
 
KevoZamAuthor Commented:
hi mzelinka, it is on the serial in. The router has an E1 controller so the serail has
   ip access-group 110 in
   ip access-group 110 out
0
 
mzelinkaCommented:
no idea :-(, try configure two access-list one for IN one for OUT...
0
 
lrmooreCommented:
Please, take access-list 110 off of the serial E1 interface and apply it "in" only to the Ethernet interface.

This looks like the infected machine.
>192.168.18.128  
0
 
KevoZamAuthor Commented:
sorry for the delay guys. I re-specified my access-list and placed it at Eth0/0 in and now the blaster's Destination is null so looks like its getting dumped. Thank you all
0
 
sponyzCommented:
Put this access-group on your E0 as ( in )
& you will get better preformace up to 50%

    deny tcp any any eq 3531 (31489 matches)
    deny tcp any any eq 1214 (27452 matches)
    deny tcp any any eq 6346 (3601 matches)
    deny tcp any any eq 6347 (4 matches)
    deny tcp any any eq 6667
    deny tcp any any eq 1433
    deny tcp host 192.168.11.111 any gt 5050
    deny tcp any any range 4444 4700 (553 matches)
    deny udp host 192.168.11.111 any gt 5050
    deny udp any any range netbios-ns netbios-ss (43640 matches)
    deny udp any any eq 6347
    deny udp any any eq 1900 (32629 matches)
    deny udp any any eq discard (242 matches)
    deny ip any 192.168.0.0 0.0.255.255 (9872 matches)
    deny ip any 172.16.0.0 0.15.255.255
    deny ip any 10.0.0.0 0.255.255.255 (17 matches)
    permit icmp 62.xx.0.0 0.0.255.255 62.xx.0.0 0.0.255.255
    permit ip any any (1452496 matches)

    this is 3 days traffic log .
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now