Re: [cisco-ttl] Access List : ardisik subnet

From: Ilker Temir (ilker_at_ilkertemir.com)
Date: Tue Jan 04 2005 - 10:57:53 GMT

  • Next message: Gb74ist: "Re: [cisco-ttl] arp packets"

    Bu durumda Yavuz Bey'in anlattigi sekilde access-list'leri konsolide
    etmeniz gerekli.

    SYN ve benzer DoS saldirilarina karsi cesitli gelimis cihazlar mevcut
    (Riverhead gibi) ancak sanirim elinizde boyle bir sistem yok. Bu durumda
    yapabilecekleriniz daha cok saldirilan isletim sistemi uzerinde
    olacaktir. Anti-spoofing ve filtreleme de bir olcude ise yarar.

    Asagidaki adrese de goz atabilirsiniz.

    http://www.cisco.com/warp/public/707/4.html

    Ilker

    Mehmet Ali Suzen wrote:
    > Esasinda gercek IPlerin reklamini yapmak istemmistim. Gecen hafta
    > bu blocklardan her bir rule icin saniyede 1000 paket civari bir
    > akis vardi. Bir gun boyunca hizmet veremedik. Ve asagidaki komutlardan
    > SYN paket storm seklinde gonderiliyordu. "debug ip packet detail" ile
    > basit bir analizden sonra, outbound interfaceden deny edilen
    > yerler soyle; Bunlarin hepsi whois den kore orijinli olarak goruluyor.
    > Bize bu ikinci defa oluyor. SYN storm lara karsi nasil bir koruma alabiliriz?
    >
    > Extended IP access list 180
    > access-list 180 deny ip 211.172.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.173.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.174.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.175.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.176.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.177.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.178.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.179.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.180.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.181.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.182.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.183.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.184.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.185.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.186.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.187.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.188.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.189.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.190.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.191.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.192.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.193.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.194.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.195.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.196.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.197.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.198.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.199.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.206.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.207.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.208.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.209.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.210.0.0 0.0.255.255 any
    > access-list 180 deny ip 211.211.0.0 0.0.255.255 any
    > access-list 180 deny ip 219.76.0.0 0.0.255.255 any
    > access-list 180 deny ip 219.77.0.0 0.0.255.255 any
    >
    > access-list 180 deny ip 219.76.0.0 0.0.255.255 any
    > access-list 180 deny ip 219.77.0.0 0.0.255.255 any
    > access-list 180 deny ip 219.78.0.0 0.0.255.255 any
    > access-list 180 deny ip 219.79.0.0 0.0.255.255 any
    > access-list 180 deny ip 62.241.64.0 0.0.0.255 any
    > access-list 180 deny ip 62.241.65.0 0.0.0.255 any
    > access-list 180 deny ip 62.241.66.0 0.0.0.255 any
    > access-list 180 deny ip 62.241.67.0 0.0.0.255 any
    > access-list 180 deny ip 62.241.68.0 0.0.0.255 any
    > access-list 180 deny ip 62.241.69.0 0.0.0.255 any
    > access-list 180 deny ip 62.241.70.0 0.0.0.255 any
    > access-list 180 deny ip 62.241.71.0 0.0.0.255 any
    > access-list 180 deny ip 62.241.72.0 0.0.0.255 any
    > access-list 180 deny ip 62.241.73.0 0.0.0.255 any
    > access-list 180 deny ip 62.241.74.0 0.0.0.255 any
    > access-list 180 deny ip 62.241.75.0 0.0.0.255 any
    > access-list 180 deny ip 62.241.76.0 0.0.0.255 any
    > access-list 180 deny ip 62.241.77.0 0.0.0.255 any
    > access-list 180 deny ip 217.77.64.0 0.0.0.255 any
    > access-list 180 permit icmp any host 212.175.247.3
    >
    >
    >
    >>10lu network reel değil bu yuzden bu trafik internnetten geliyor olamaz.
    >>Bu durumda iç networkunuzde çıkış yerinde kısıtlayabilirsiniz.
    >>
    >>Eğer bu IPler sadece örnek olarak verilmişse source ve destinationa gore
    >>veya porta gore extended ACLler yazılabilir.
    >>
    >>
    >>
    >>172 16nın katı değildir ancak:
    >>
    >>
    >>
    >>deny ip 10.172.0.0 0.0.252.255 any
    >>
    >>deny ip 10.176.0.0 0.0.240.255 any
    >>
    >>
    >>
    >>seklinde 10.172.0.0-10.191.255.255 arası sınırlanabilir.
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>________________________________
    >>
    >>From: Mehmet Ali Suzen [mailto:msuzen_at_kibris.net]
    >>Sent: Tuesday, January 04, 2005 12:02 PM
    >>To: cisco-ttl_at_yahoogroups.com
    >>Subject: [cisco-ttl] Access List : ardisik subnet
    >>
    >>
    >>
    >>iyi gunler,
    >>Bazi kore iplerden gecen hafta icinde asiri bir paket akisi vardi, ve
    >>bu ip blocklarini deny etmek zorunda kaldik Fakat ACL listesi cok uzun
    >>oldu. Ornek;
    >> deny ip 10.172.0.0 0.0.255.255 any
    >> deny ip 10.173.0.0 0.0.255.255 any
    >> deny ip 10.174.0.0 0.0.255.255 any
    >>Bu listeyi tek satira nasil indirgeyebilirim. Ornek olarak bu liste
    >>10.172.0.0-10.189.0.0 kadar olan. Performans acisindan bir fark olur mu?
    >>Yoksa IoS ardisik networkler icin akilli bir algoritmasi var mi?
    >>iyi calismalar,
    >>Mehmet
    >>
    >>
    >>Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.
    >>
    >>Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir
    >>e-posta gönderebilirsiniz.
    >>
    >>
    >>
    >>
    >>
    >>Yahoo! Groups Sponsor
    >>
    >>ADVERTISEMENT
    >>click here
    >><http://us.ard.yahoo.com/SIG=129cp8jk9/M=298184.5639630.6699735.3001176/D=groups/S=1705004726:HM/EXP=1104919323/A=2434971/R=0/SIG=11eeoolb0/*http:/www.netflix.com/Default?mqso=60185400>
    >>
    >> <http://us.adserver.yahoo.com/l?M=298184.5639630.6699735.3001176/D=groups/S=:HM/A=2434971/rand=621463972>
    >>
    >>
    >>
    >>________________________________
    >>
    >>Yahoo! Groups Links
    >>
    >>* To visit your group on the web, go to:
    >> http://groups.yahoo.com/group/cisco-ttl/
    >>
    >>* To unsubscribe from this group, send an email to:
    >> cisco-ttl-unsubscribe_at_yahoogroups.com
    >><mailto:cisco-ttl-unsubscribe_at_yahoogroups.com?subject=Unsubscribe>
    >>
    >>* Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
    >><http://docs.yahoo.com/info/terms/> .
    >>
    >>
    >>
    >>[Non-text portions of this message have been removed]
    >>
    >>
    >>
    >>Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.
    >>
    >>Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir
    >>e-posta gönderebilirsiniz.
    >>Yahoo! Groups Links
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >
    >
    >
    >
    > Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.
    >
    > Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz.
    > Yahoo! Groups Links
    >
    >
    >
    >
    >
    >

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
        http://groups.yahoo.com/group/cisco-ttl/

    <*> To unsubscribe from this group, send an email to:
        cisco-ttl-unsubscribe_at_yahoogroups.com

    <*> Your use of Yahoo! Groups is subject to:
        http://docs.yahoo.com/info/terms/
     



    This archive was generated by hypermail 2.1.5 : Tue Jan 04 2005 - 16:45:31 GMT