Home page logo
/

nanog logo nanog mailing list archives

MAx TNT Filter -- Actual FILTER
From: Sean Watkins <sean () northrock bm>
Date: Tue, 26 Aug 2003 00:22:32 -0300


TNT Users:

Apologize: I know I am posting to multiple lists, but multiple lists with Ascend users.. none so far have posted and numerous are asking for it... Including myself! Hopefully recommendations will follow

After several hours of trial and error - after I setup the recommended Cisco filters upstream from TNT equipment.

I have been constantly watching log entries, to find people blasting away with ICMP/UDP Port 135/ TCP Port 137 the most.

I have come up a filter, for the TNT:

new FILTER
set filter-name = pre-nachi2
set input-filters 1 valid-entry = yes
set input-filters 1 Type = ip-filter
set input-filters 1 ip-filter protocol = 6
set input-filters 1 ip-filter Dst-Port-Cmp = eql
set input-filters 1 ip-filter dest-port = 135
set input-filters 2 valid-entry = yes
set input-filters 2 Type = ip-filter
set input-filters 2 ip-filter protocol = 17
set input-filters 2 ip-filter Dst-Port-Cmp = eql
set input-filters 2 ip-filter dest-port = 137
set input-filters 3 valid-entry = yes
set input-filters 3 forward = yes
set input-filters 3 Type = ip-filter
set input-filters 3 ip-filter protocol = 1
set input-filters 3 ip-filter dest-address-mask = 255.255.255.255
set input-filters 3 ip-filter dest-address = X.X.X.X
set input-filters 4 valid-entry = yes
set input-filters 4 Type = ip-filter
set input-filters 4 ip-filter protocol = 1
set input-filters 5 valid-entry = yes
set input-filters 5 forward = yes
set input-filters 5 Type = ip-filter
write -f
;

This filter blocks UDP Port 135, tcp port 137, allows ICMP to X.X.X.X, drops all other ICMP, and then allows any other traffic out.

Basically, X.X.X.X is a machine here we can use to have customers ping us/ we ping them. This filter seems to work for 90% of people, but for unknown reasons, ICMP still seems to leak in. Any ideas?

I'm applying this filter to data under answer-defaults, session-info.

I've set iproute-cache-enable = no,

Disabled proxy arp... Everything. Still we are dropping packets at peak times left right and center for unknown reasons. show ip cache flow on upstream Cisco gear shows basically regular traffic.

Ideas/comments etc?


Sean



----- Original Message -----
From: "Dave Birkbeck" <dbirkbeck () ikano com>
To: "'Tony Bunce'" <tonyb () go-concepts com>; "'Sean Watkins (northrock)'"
<sean () northrock bm>; <radiator () open com au>
Sent: Monday, August 25, 2003 7:27 PM
Subject: RE: (RADIATOR) MAx TNT & MSBlast


All,

In addition to having the ACL's that Cisco recommends. Has anyone come
up with a Radius ascend-data-filter that will slow down the spread of
these crazy viruses? Or better yet, a filter that will block ICMP.

Again, I know this is probably not the list for this discussion, but
this topic is definitely for the greater good of the Internet.

That being said does anyone know of a list that discusses various NAS
topics?


  By Date           By Thread  

Current thread:
  • MAx TNT Filter -- Actual FILTER Sean Watkins (Aug 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault