[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 234
  • Last Modified:

drop packets with cisco 1600

dear sir ,
somebody is making flood on me , which means sending syn_ack udp packets randomly , which means his script is making flood on all ports from 0 to 65535 with packet length = 48
how can i block all packets using packet length 48 ?
thanks
0
skynoc
Asked:
skynoc
1 Solution
 
LucFCommented:
Hi skynoc,

Dropping those packages won't help you very much as your bandwidth will still be filled up with crap.
Please contact your ISP as soon as possible, they'll be able to filter the mess on their routers and will be able to keep you online. You can't do much, or anything about this yourself.

Greetings,

LucF
0
 
rafael_accCommented:
:) That's right, unfortunately
0
 
z71mike8379Commented:
Track him down to a port and take him off the network.  Are you familiar with that process?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
skynocAuthor Commented:
sir , the problem is that i m the ISP
the problem is that many networks are flooding on me , so i cant deny these network ,
even i cant deny all ports ,
i have to deny ports with packet length of the flood .
whch means , the flood is sending syn_ack udp packets length = 48
so i have to deny all udp ports on packet length = 48
so what is the command that did this
thanks
0
 
LucFCommented:
I have to admit I'm not sure how to filter on packet length with a Cisco. But still, those packages are send to you, so you're receiving them. Blocking them has exactly the same effect as accepting them.

LucF
0
 
skynocAuthor Commented:
sir , it is urgent ,
plz check for this at any cisco reference , i would be greatfull
thanks.
0
 
LucFCommented:
For what I've found, you can't filter on packet length, but please read my comment above really carefully:
"But still, those packages are send to you, so you're receiving them. Blocking them has exactly the same effect as accepting them."
Please understand that.

What I've found (I can't verify at this moment) is that both the Blaster and the Sasser virus use a packet lenght of 48 bytes, so you're most likely having the same problem as every other ISP. All you need to do to protect your customers from it is blocking port 135 (make sure to note this to your customers as some might need it, if you mention it to them they can reroute their traffic through another port)

Btw, if you want to "block" something, you should get a firewall, not a router. I know this might be difficult for you as you are an ISP but it's surely your best option.

LucF
0
 
skynocAuthor Commented:
sir , what i understood is i cant do it with  a router , i have to do it with firewall hardware , if i bought a new firewall hardware , can i block the sasser or the blaster virus using the packet length ? thanks
if yes , please tell me about the firewall series number .
0
 
LucFCommented:
Please review this page on Cisco.com
http://www.cisco.com/en/US/products/ps5888/products_user_guide_chapter09186a0080236a84.html

There's a "greater" and a "less" parameter, not any precise filterrule on cisco's :(
I'll see if I can find anything else for you.

LucF
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now