[39751] in North American Network Operators' Group
Re: filtering whitehouse.gov?
daemon@ATHENA.MIT.EDU (Sabri Berisha)
Sun Jul 22 05:51:40 2001
Date: Sun, 22 Jul 2001 11:51:56 +0200 (CEST)
From: Sabri Berisha <sabri@bit.nl>
To: "Jon O ." <jono@microshaft.org>
Cc: <nanog@nanog.org>
In-Reply-To: <20010721154348.C86996@networkcommand.com>
Message-ID: <Pine.LNX.4.33.0107221143530.25729-100000@bofh.bit.nl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, 21 Jul 2001, Jon O . wrote:
> I understand your need to do something like this, but you are
> essentially causing the worm to fulfill it's goal and
> censoring your customers. I worried that many people would do this.
> Why not just use outbound Cisco ACLs on your CPE, Core, and Border
> routers to permit and log the traffic to the one IP address being
> attacked and them contact the people who have hacked machines? Or,
> if you must use the ACLs to deny the packets with the goal of
> identifing machines and getting them fixed.
Outbound ACL's are an option but then you would have to be sure that they
are sending the packets to port 80.
> access-list 199 permit tcp any host 198.137.240.91 eq 80 log
> access-list 199 permit tcp any host 198.137.240.92 eq 80 log
>
> You should already be logging packets to a syslog server.
We already log every packet coming by on a machine which counts the
traffic so any infected box will be identified soon.
> To make deny rules just change the permit to deny. However, this is
> kind of drastic and almost amounts to censorship.
Censorship is a way to see it, I prefer to call it operational prevention
of a DoS attack. The risk of "censoring" two IP's over DoS'ing an entire
network is one I can explain to angry customers (if there are any).
--
/* Sabri Berisha CCNA,BOFH,+iO O.O speaking for just myself
* Join HAL!!: www.HAL2001.org ____oOo_U_oOo____ http://www.bit.nl/~sabri
* "We deliver quality services, we just can't get it on the internet"
* Anonymous sysadmin - on IRC */
