Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1997_4

Bugtraq archives for 4th quarter (Oct-Dec) 1997: land protection for cisco

land protection for cisco

Stefan Stefanov (stefanNS.BIS.BG)
Fri, 21 Nov 1997 17:01:28 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: blast: "44BSD port of land.c"
Previous message: Eric Thacker: "Land and Cisco Routers."
Next in thread: Richard Huddleston: "Re: land protection for cisco"

hi.

Here is a simple protection against the land stuff for the cisco's. It's a
extended ip access list that should be put on all the intefaces on the
box.

Extended IP Access list 105
deny tcp host 111.111.111.111 host 111.111.111.111
permit ip any any

where 111.111.111.111 is the interface's ip address. This should be put
as
an input access-group.

Or if you don't get it here's what to type on your cisco's console.

rtr#config terminal
rtr(config)#access-list 105 deny tcp 111.111.111.111 0.0.0.0 111.111.111.111 0.0.0.0
rtr(config)#access-list 105 permit ip any any
rtr(config)#interface ethernet 0
rtr(config)#ip access-group 105 in
rtr(config)#exit
rtr(config)#interface serial 0
rtr(config)#ip access-group 105 in

and so on for the rest of the interfaces... Replace 105 with a free
extended access-list number.

I have tested it on our cisco 2511 and it works just ok.

Best regards, Stefan Stefanov.

WWW:    http://www.bis.bg/~stefan
E-mail: stefanbis.bg

Next message: blast: "44BSD port of land.c"
Previous message: Eric Thacker: "Land and Cisco Routers."
Next in thread: Richard Huddleston: "Re: land protection for cisco"