Re: Cisco Workaround

From: DOUGLAS GULLETT (dougg03_at_comcast.net)
Date: 07/23/03

  • Next message: Luis Enrique Londono: "Re: Cisco Workaround" 
    Date: Wed, 23 Jul 2003 15:16:28 -0400
To: Alvaro Gordon-Escobar <alvaroge@molecularstaging.com>

    I don't think you have to put all the access-list in. I believe that
    the hack requires a certain combination of packets to the four ports,
    so leaving one or two of them open should still prevent the hack. That
    might be a good question for Cisco TAC...they should be willing to help
    even if you "misplaced" your SmartNet contract information. ;-)

    Doug

    ----- Original Message -----
    From: Alvaro Gordon-Escobar <alvaroge@molecularstaging.com>
    Date: Wednesday, July 23, 2003 10:15 am
    Subject: Cisco Workaround

    > will this access list modification prevent my internal DNS server
    > from updates to it self from my telco's DNS server?
    >
    > access-list 101 deny 53 any any
    > access-list 101 deny 55 any any
    > access-list 101 deny 77 any any
    > access-list 101 deny 103 any any
    > !--- insert any other previously applied ACL entries here
    > !--- you must permit other protocols through to allow normal
    > !--- traffic -- previously defined permit lists will work
    > !--- or you may use the permit ip any any shown here
    > access-list 101 permit ip any any
    >
    > Thanks in advance
    >
    > ~alvaro Escobar
    >
    > -------------------------------------------------------------------
    > --------
    > -------------------------------------------------------------------
    > ---------
    >
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Luis Enrique Londono: "Re: Cisco Workaround"

    Relevant Pages

    • RE: Cisco Workaround
      ... Regards. ... Be aware - the hack is a Denial of Service attack, ... > four ports, ... > Subject: Cisco Workaround ...
      (Security-Basics)
    • Re: Cisco Workaround
      ... The hack does not require the usage of all 4 protocols. ... Using hping to test is the best way to see what I mean. ... > Subject: Cisco Workaround ... >> from updates to it self from my telco's DNS server? ...
      (Security-Basics)
    • Re: compressed samples in a source filter?
      ... Parsing the packets isn't a problem at all, ... what the DMO will swallow is a bit concerning, ... I'll definetly take you up on the hack, regardless of whether or not it'll ... > a dot angeli at biosys dot net ...
      (microsoft.public.windowsmedia.sdk)
    • Re: compressed samples in a source filter?
      ... Parsing the packets isn't a problem at all, ... what the DMO will swallow is a bit concerning, ... I'll definetly take you up on the hack, regardless of whether or not it'll ... > a dot angeli at biosys dot net ...
      (microsoft.public.win32.programmer.directx.video)
    • Re: -current cross compile for -stable
      ... chrooted RELENG_6 environment and chroot into it to make it work. ... I think there is a hack for ports' tinderbox, patch is at ... Not sure it appears in ports@ mailing or tinderbox's. ...
      (freebsd-current)