land protection for cisco

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: blast: "44BSD port of land.c"
• Previous message: Robert Watson: "ipfw workaround for syn-loop attack, FreeBSD 2.2.5-STABLE"
• Next in thread: Richard Huddleston: "Re: land protection for cisco"

Here is a simple protection against the land stuff for the cisco's. It's a
extended ip access list that should be put on all the intefaces on the
box.

Extended IP Access list 105
deny tcp host 111.111.111.111 host 111.111.111.111
permit ip any any

where 111.111.111.111 is the interface's ip address. This should be put
as
an input access-group.

Or if you don't get it here's what to type on your cisco's console.

rtr#config terminal
rtr(config)#access-list 105 deny tcp 111.111.111.111 0.0.0.0 111.111.111.111 0.0.0.0
rtr(config)#access-list 105 permit ip any any
rtr(config)#interface ethernet 0
rtr(config)#ip access-group 105 in
rtr(config)#exit
rtr(config)#interface serial 0
rtr(config)#ip access-group 105 in

and so on for the rest of the interfaces... Replace 105 with a free
extended access-list number.

I have tested it on our cisco 2511 and it works just ok.

Best regards, Stefan Stefanov.

WWW: http://www.bis.bg/~stefan
E-mail: stefan@bis.bg

• Next message: blast: "44BSD port of land.c"
• Previous message: Robert Watson: "ipfw workaround for syn-loop attack, FreeBSD 2.2.5-STABLE"
• Next in thread: Richard Huddleston: "Re: land protection for cisco"