which commercial internet are you using oliver? i know of a lot of multicast routing going on....many of the major providers offer multicast services, and there are a couple of isp's that do nothing but multicast. also, if i have an aggregation router with say 100 t1's terminating on it, those are going to be some ugly, and long access-lists, applied to each t1 subinterface - especially since receive acl's have only been ported to the 12xxx and 75xx platforms. the only real 'fix' is to upgrade (you should still have proper in/outbound acls in place - but that is beyond this)
my $0.02 /joshua On Monday 28 July 2003 17:11, Martin, Olivier wrote: > My .02 cents.. > > There are ways around that, such as denying packets to terminate on > routers interface from unknown addresses as there is no need for > these protocols on cisco routers exept protocol 103 used for PIM. > As multicast routing is not used on the commercial internet, it can > safely be removed. > > Olivier > > > -----Message d'origine----- > De : Tim Donahue [mailto:[EMAIL PROTECTED] > Envoyé : Friday, July 25, 2003 3:43 PM > À : 'Ghaith Nasrawi' > Cc : [EMAIL PROTECTED]; [EMAIL PROTECTED] > Objet : RE: Cisco Workaround > > > Hmmm.... Why don't you open up the protocols from the addresses > that you need. Isn't this a standard firewalling technique? > > Plus I believe that they said that there are new versions of IOS > that are not vulnerable to this attack, which means that you can > upgrade IOS and resolve the issute all together. > > Tim Donahue > > > -----Original Message----- > > From: Ghaith Nasrawi [mailto:[EMAIL PROTECTED] > > Sent: Friday, July 25, 2003 11:33 AM > > Cc: [EMAIL PROTECTED]; > > [EMAIL PROTECTED] Subject: RE: Cisco Workaround > > > > > > Well, my question is; what the hell if I was using any of > > these protocols?? Didn't cisco think of that?? They should > > have suggested a more decent solution. > > > > > > ./Ghaith > > =============== > > > > Today is the tomorrow you worried about yesterday > > > > > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > > > Sent: Wednesday, July 23, 2003 6:48 PM > > To: Alvaro Gordon-Escobar > > Cc: [EMAIL PROTECTED]; > > [EMAIL PROTECTED] Subject: Re: Cisco Workaround > > > > Alvaro, > > > > No. The protocol blocked by the access-list is protocol 53 > > not protocol > > > > TCP or protocol UDP port 53. > > > > If you need further info, let me know, > > > > -James > > > > At 09:15 7/23/2003, Alvaro Gordon-Escobar wrote: > > >will this access list modification prevent my internal DNS > > > > server from > > > > >updates to it self from my telco's DNS server? > > > > > >access-list 101 deny 53 any any > > >access-list 101 deny 55 any any > > >access-list 101 deny 77 any any > > >access-list 101 deny 103 any any > > >!--- insert any other previously applied ACL entries here > > >!--- you must permit other protocols through to allow normal > > >!--- traffic -- previously defined permit lists will work > > >!--- or you may use the permit ip any any shown here access-list > > > 101 permit ip any any > > > > > >Thanks in advance > > > > > >~alvaro Escobar > > > > > >------------------------------------------------------------- > > > > ---------- > > ---- > > > > >------------------------------------------------------------- > > > > ---------- > > ----- > > > > > > -------------------------------------------------------------- > > ---------- > > --- > > -------------------------------------------------------------- > > ---------- > > ---- > > > > > > -------------------------------------------------------------- > > ------------- > > -------------------------------------------------------------- > > -------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
