• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 570
  • Last Modified:

Cisco 3560 ACL and Syn Protect

We have added the given acl to our cisco 3560 router


Extended IP access list 103
    10 permit tcp any host 77.223.156.156 eq www log (136803 matches)
    20 permit tcp any host 77.223.156.156 eq ftp log
    30 permit tcp any host 77.223.156.156 eq telnet log
    40 permit tcp any host 77.223.156.156 eq pop3 log
    50 permit tcp any host 77.223.156.156 eq smtp log
    60 permit tcp any host 77.223.156.156 eq 443 log
    70 permit tcp any host 77.223.156.156 eq 3389 log (2508 matches)
    80 permit tcp any host 77.223.156.156 eq domain log
    90 permit udp any host 77.223.156.156 eq domain log (68 matches)
    100 deny ip any host 77.223.156.156 log (5633 matches)
    110 permit ip any any (24 matches)


and as you should see there is a high match of www port and if we check it deeply ,
it seems as a ddos or botnet. should i protect the machine from the router for syn ?
you will see multiple same ip address.




Log Buffer (4096 bytes):
178.218.225.229(45309) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:05.610: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 210.243.157.250(49073) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:06.617: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.97.18.250(38050) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:07.624: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 110.138.215.6(47457) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:08.639: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.96.52.126(51286) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:09.645: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 110.138.215.6(46925) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:10.652: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.99.71.78(36473) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:11.667: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 178.218.225.229(45423) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:12.674: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 202.51.107.34(48246) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:13.722: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.99.71.78(36519) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:14.729: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 202.46.151.59(43061) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:15.735: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.96.52.126(51314) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:16.750: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.97.18.250(59450) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:17.757: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.96.231.97(33249) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:18.764: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.99.71.78(36565) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:19.770: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.97.18.250(44337) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:20.777: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 110.138.215.6(47386) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:21.800: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 202.46.151.59(43094) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:22.824: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 203.128.91.218(60787) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:23.830: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.96.148.93(58391) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:24.854: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 222.124.5.82(56125) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:25.877: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.97.18.250(60742) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:26.901: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.98.35.251(40721) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:27.907: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 46.42.4.138(59687) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:28.914: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 110.138.215.6(47587) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:29.929: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.96.46.7(42925) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:30.936: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.98.35.251(40633) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:31.942: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 91.102.162.246(39821) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:32.949: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 202.43.161.6(55527) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:33.955: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.98.35.251(40837) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:34.962: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.99.71.78(37003) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:35.977: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.98.35.251(41153) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:36.984: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 178.218.225.229(45826) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:37.999: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.99.71.78(37046) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:39.014: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.96.123.8(45272) -> 77.223.156.156(80), 1 packet

Open in new window

0
3XLcom
Asked:
3XLcom
  • 2
  • 2
1 Solution
 
SouljaCommented:
Try:

conf t
ip tcp intercept list 103

see if that changes anything.
0
 
3XLcomAuthor Commented:
Cisco.xxxx.Com.xx(config)#ip tcp int?
% Unrecognized command


intercept is not a valid command for 3560 routers :(
0
 
SouljaCommented:
Looks like it must be a router feature and not a layer 3 switch feature for Cisco. Another reason to add to the list of why l3 switches shouldn't be placed on the internet edge. Sorry man, but you need some type of firewalling. An acl just isn't enough these days.
0
 
3XLcomAuthor Commented:
thanks
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now