RE: Cisco Workaround

From: Wolfpaw - Dale Corse (admin-lists_at_wolfpaw.net)
Date: 07/24/03

  • Next message: Byrne Ghavalas: "RE: Cisco Workaround"
    To: "DOUGLAS GULLETT" <dougg03@comcast.net>, "Alvaro Gordon-Escobar" <alvaroge@molecularstaging.com>
    Date: Wed, 23 Jul 2003 22:03:25 -0600
    
    

    Be aware - the hack is a Denial of Service attack, and it can be
    accomplished with ANY ONE of these protocols, there is no special
    combination required. Call Cisco TAC and they will give you updated
    software for your device, which voids the need for the ACL.

    Regards,
    D.
    --------------------------------
    Dale Corse
    System Administrator
    Wolfpaw Services Inc.
    http://www.wolfpaw.net
    (780) 474-4095

    > -----Original Message-----
    > From: DOUGLAS GULLETT [mailto:dougg03@comcast.net]
    > Sent: Wednesday, July 23, 2003 1:16 PM
    > To: Alvaro Gordon-Escobar
    > Cc: firewalls@securityfocus.com; security-basics@securityfocus.com
    > Subject: Re: Cisco Workaround
    >
    >
    > I don't think you have to put all the access-list in. I
    > believe that
    > the hack requires a certain combination of packets to the
    > four ports,
    > so leaving one or two of them open should still prevent the
    > hack. That
    > might be a good question for Cisco TAC...they should be
    > willing to help
    > even if you "misplaced" your SmartNet contract information. ;-)
    >
    > Doug
    >
    >
    >
    > ----- Original Message -----
    > From: Alvaro Gordon-Escobar <alvaroge@molecularstaging.com>
    > Date: Wednesday, July 23, 2003 10:15 am
    > Subject: Cisco Workaround
    >
    > > will this access list modification prevent my internal DNS server
    > > from updates to it self from my telco's DNS server?
    > >
    > > access-list 101 deny 53 any any
    > > access-list 101 deny 55 any any
    > > access-list 101 deny 77 any any
    > > access-list 101 deny 103 any any
    > > !--- insert any other previously applied ACL entries here
    > > !--- you must permit other protocols through to allow normal
    > > !--- traffic -- previously defined permit lists will work
    > > !--- or you may use the permit ip any any shown here
    > > access-list 101 permit ip any any
    > >
    > > Thanks in advance
    > >
    > > ~alvaro Escobar
    > >
    > >
    > -------------------------------------------------------------------
    > > --------
    > >
    > -------------------------------------------------------------------
    > > ---------
    > >
    > >
    >
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Byrne Ghavalas: "RE: Cisco Workaround"