RE: [cisco-ttl] Access List : ardisik subnet

From: Mehmet Ali Suzen (msuzen_at_kibris.net)
Date: Tue Jan 04 2005 - 08:33:03 GMT

  • Next message: Ilker Temir: "Re: [cisco-ttl] arp packets"

    Esasinda gercek IPlerin reklamini yapmak istemmistim. Gecen hafta
    bu blocklardan her bir rule icin saniyede 1000 paket civari bir
    akis vardi. Bir gun boyunca hizmet veremedik. Ve asagidaki komutlardan
    SYN paket storm seklinde gonderiliyordu. "debug ip packet detail" ile
    basit bir analizden sonra, outbound interfaceden deny edilen
    yerler soyle; Bunlarin hepsi whois den kore orijinli olarak goruluyor.
    Bize bu ikinci defa oluyor. SYN storm lara karsi nasil bir koruma alabiliriz?

    Extended IP access list 180
    access-list 180 deny ip 211.172.0.0 0.0.255.255 any
    access-list 180 deny ip 211.173.0.0 0.0.255.255 any
    access-list 180 deny ip 211.174.0.0 0.0.255.255 any
    access-list 180 deny ip 211.175.0.0 0.0.255.255 any
    access-list 180 deny ip 211.176.0.0 0.0.255.255 any
    access-list 180 deny ip 211.177.0.0 0.0.255.255 any
    access-list 180 deny ip 211.178.0.0 0.0.255.255 any
    access-list 180 deny ip 211.179.0.0 0.0.255.255 any
    access-list 180 deny ip 211.180.0.0 0.0.255.255 any
    access-list 180 deny ip 211.181.0.0 0.0.255.255 any
    access-list 180 deny ip 211.182.0.0 0.0.255.255 any
    access-list 180 deny ip 211.183.0.0 0.0.255.255 any
    access-list 180 deny ip 211.184.0.0 0.0.255.255 any
    access-list 180 deny ip 211.185.0.0 0.0.255.255 any
    access-list 180 deny ip 211.186.0.0 0.0.255.255 any
    access-list 180 deny ip 211.187.0.0 0.0.255.255 any
    access-list 180 deny ip 211.188.0.0 0.0.255.255 any
    access-list 180 deny ip 211.189.0.0 0.0.255.255 any
    access-list 180 deny ip 211.190.0.0 0.0.255.255 any
    access-list 180 deny ip 211.191.0.0 0.0.255.255 any
    access-list 180 deny ip 211.192.0.0 0.0.255.255 any
    access-list 180 deny ip 211.193.0.0 0.0.255.255 any
    access-list 180 deny ip 211.194.0.0 0.0.255.255 any
    access-list 180 deny ip 211.195.0.0 0.0.255.255 any
    access-list 180 deny ip 211.196.0.0 0.0.255.255 any
    access-list 180 deny ip 211.197.0.0 0.0.255.255 any
    access-list 180 deny ip 211.198.0.0 0.0.255.255 any
    access-list 180 deny ip 211.199.0.0 0.0.255.255 any
    access-list 180 deny ip 211.206.0.0 0.0.255.255 any
    access-list 180 deny ip 211.207.0.0 0.0.255.255 any
    access-list 180 deny ip 211.208.0.0 0.0.255.255 any
    access-list 180 deny ip 211.209.0.0 0.0.255.255 any
    access-list 180 deny ip 211.210.0.0 0.0.255.255 any
    access-list 180 deny ip 211.211.0.0 0.0.255.255 any
    access-list 180 deny ip 219.76.0.0 0.0.255.255 any
    access-list 180 deny ip 219.77.0.0 0.0.255.255 any

     access-list 180 deny ip 219.76.0.0 0.0.255.255 any
    access-list 180 deny ip 219.77.0.0 0.0.255.255 any
    access-list 180 deny ip 219.78.0.0 0.0.255.255 any
    access-list 180 deny ip 219.79.0.0 0.0.255.255 any
    access-list 180 deny ip 62.241.64.0 0.0.0.255 any
    access-list 180 deny ip 62.241.65.0 0.0.0.255 any
    access-list 180 deny ip 62.241.66.0 0.0.0.255 any
    access-list 180 deny ip 62.241.67.0 0.0.0.255 any
    access-list 180 deny ip 62.241.68.0 0.0.0.255 any
    access-list 180 deny ip 62.241.69.0 0.0.0.255 any
    access-list 180 deny ip 62.241.70.0 0.0.0.255 any
    access-list 180 deny ip 62.241.71.0 0.0.0.255 any
    access-list 180 deny ip 62.241.72.0 0.0.0.255 any
    access-list 180 deny ip 62.241.73.0 0.0.0.255 any
    access-list 180 deny ip 62.241.74.0 0.0.0.255 any
    access-list 180 deny ip 62.241.75.0 0.0.0.255 any
    access-list 180 deny ip 62.241.76.0 0.0.0.255 any
    access-list 180 deny ip 62.241.77.0 0.0.0.255 any
    access-list 180 deny ip 217.77.64.0 0.0.0.255 any
    access-list 180 permit icmp any host 212.175.247.3

    > 10lu network reel değil bu yuzden bu trafik internnetten geliyor olamaz.
    > Bu durumda iç networkunuzde çıkış yerinde kısıtlayabilirsiniz.
    >
    > Eğer bu IPler sadece örnek olarak verilmişse source ve destinationa gore
    > veya porta gore extended ACLler yazılabilir.
    >
    >
    >
    > 172 16nın katı değildir ancak:
    >
    >
    >
    > deny ip 10.172.0.0 0.0.252.255 any
    >
    > deny ip 10.176.0.0 0.0.240.255 any
    >
    >
    >
    > seklinde 10.172.0.0-10.191.255.255 arası sınırlanabilir.
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > ________________________________
    >
    > From: Mehmet Ali Suzen [mailto:msuzen_at_kibris.net]
    > Sent: Tuesday, January 04, 2005 12:02 PM
    > To: cisco-ttl_at_yahoogroups.com
    > Subject: [cisco-ttl] Access List : ardisik subnet
    >
    >
    >
    > iyi gunler,
    > Bazi kore iplerden gecen hafta icinde asiri bir paket akisi vardi, ve
    > bu ip blocklarini deny etmek zorunda kaldik Fakat ACL listesi cok uzun
    > oldu. Ornek;
    > deny ip 10.172.0.0 0.0.255.255 any
    > deny ip 10.173.0.0 0.0.255.255 any
    > deny ip 10.174.0.0 0.0.255.255 any
    > Bu listeyi tek satira nasil indirgeyebilirim. Ornek olarak bu liste
    > 10.172.0.0-10.189.0.0 kadar olan. Performans acisindan bir fark olur mu?
    > Yoksa IoS ardisik networkler icin akilli bir algoritmasi var mi?
    > iyi calismalar,
    > Mehmet
    >
    >
    > Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.
    >
    > Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir
    > e-posta gönderebilirsiniz.
    >
    >
    >
    >
    >
    > Yahoo! Groups Sponsor
    >
    > ADVERTISEMENT
    > click here
    > <http://us.ard.yahoo.com/SIG=129cp8jk9/M=298184.5639630.6699735.3001176/D=groups/S=1705004726:HM/EXP=1104919323/A=2434971/R=0/SIG=11eeoolb0/*http:/www.netflix.com/Default?mqso=60185400>
    >
    > <http://us.adserver.yahoo.com/l?M=298184.5639630.6699735.3001176/D=groups/S=:HM/A=2434971/rand=621463972>
    >
    >
    >
    > ________________________________
    >
    > Yahoo! Groups Links
    >
    > * To visit your group on the web, go to:
    > http://groups.yahoo.com/group/cisco-ttl/
    >
    > * To unsubscribe from this group, send an email to:
    > cisco-ttl-unsubscribe_at_yahoogroups.com
    > <mailto:cisco-ttl-unsubscribe_at_yahoogroups.com?subject=Unsubscribe>
    >
    > * Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
    > <http://docs.yahoo.com/info/terms/> .
    >
    >
    >
    > [Non-text portions of this message have been removed]
    >
    >
    >
    > Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.
    >
    > Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir
    > e-posta gönderebilirsiniz.
    > Yahoo! Groups Links
    >
    >
    >
    >
    >
    >
    >
    >

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
        http://groups.yahoo.com/group/cisco-ttl/

    <*> To unsubscribe from this group, send an email to:
        cisco-ttl-unsubscribe_at_yahoogroups.com

    <*> Your use of Yahoo! Groups is subject to:
        http://docs.yahoo.com/info/terms/
     



    This archive was generated by hypermail 2.1.5 : Tue Jan 04 2005 - 14:33:31 GMT