[61077] in North American Network Operators' Group
RE: Cisco filter question
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Aug 22 13:33:38 2003
Date: Fri, 22 Aug 2003 10:29:36 -0700
From: Owen DeLong <owen@delong.com>
To: Michel Py <michel@arneill-py.sacramento.ca.us>,
"Geo." <georger@getinfo.net>, nanog@merit.edu
In-Reply-To: <DD7FE473A8C3C245ADA2A2FE1709D90B0221DA@server2003.arneill-py.sacramento.ca.us>
Errors-To: owner-nanog-outgoing@merit.edu
Because your acl matches echo reply and the packet is echo request.
Owen
--On Friday, August 22, 2003 10:02 AM -0700 Michel Py=20
<michel@arneill-py.sacramento.ca.us> wrote:
>
> Instead of:
>> set interface Null0
>
> Use: set ip next-hop 10.255.255.254
>
> _and_
> ip route 10.255.255.254 255.255.255.255 Null0 name BLACKHOLE
>
> Michel.
>
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
> Geo. Sent: Friday, August 22, 2003 9:17 AM
> To: nanog@merit.edu
> Subject: Cisco filter question
>
>
> Perhaps one of you router experts can answer this question. When using
> the cisco specified filter
>
> access-list 199 permit icmp any any echo
> access-list 199 permit icmp any any echo-reply
>
> route-map nachi-worm permit 10
> ! --- match ICMP echo requests and replies (type 0 & 8)
> match ip address 199
>
> ! --- match 92 bytes sized packets
> match length 92 92
>
> ! --- drop the packet
> set interface Null0
>
>
> interface <incoming-interface>
> ! --- it is recommended to disable unreachables
> no ip unreachables
>
> ! --- if not using CEF, enabling ip route-cache flow is recommended
> ip route-cache policy
>
> ! --- apply Policy Based Routing to the interface
> ip policy route-map nachi-worm
>
> why would it not stop this packet
>
> 15 1203.125000 0003E3956600 AMERIC6625D4 ICMP Echo: From 216.144.20.69 To
> 216.144.00.27 216.144.20.69 216.144.0.27 IP FRAME: Base frame properties
> FRAME: Time of capture =3D 8/22/2003 11:54:16.859
> FRAME: Time delta from previous physical frame: 0 microseconds
> FRAME: Frame number: 15
> FRAME: Total frame length: 106 bytes
> FRAME: Capture frame length: 106 bytes
> FRAME: Frame data: Number of data bytes remaining =3D 106 (0x006A)
> ETHERNET: ETYPE =3D 0x0800 : Protocol =3D IP: DOD Internet Protocol
> ETHERNET: Destination address : 00C0B76625D4
> ETHERNET: .......0 =3D Individual address
> ETHERNET: ......0. =3D Universally administered address
> ETHERNET: Source address : 0003E3956600
> ETHERNET: .......0 =3D No routing information present
> ETHERNET: ......0. =3D Universally administered address
> ETHERNET: Frame Length : 106 (0x006A)
> ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
> ETHERNET: Ethernet Data: Number of data bytes remaining =3D 92 =
(0x005C)
> IP: ID =3D 0x848; Proto =3D ICMP; Len: 92
> IP: Version =3D 4 (0x4)
> IP: Header Length =3D 20 (0x14)
> IP: Precedence =3D Routine
> IP: Type of Service =3D Normal Service
> IP: Total Length =3D 92 (0x5C)
> IP: Identification =3D 2120 (0x848)
> IP: Flags Summary =3D 0 (0x0)
> IP: .......0 =3D Last fragment in datagram
> IP: ......0. =3D May fragment datagram if necessary
> IP: Fragment Offset =3D 0 (0x0) bytes
> IP: Time to Live =3D 124 (0x7C)
> IP: Protocol =3D ICMP - Internet Control Message
> IP: Checksum =3D 0x70D8
> IP: Source Address =3D 216.144.20.69
> IP: Destination Address =3D 216.144.0.27
> IP: Data: Number of data bytes remaining =3D 72 (0x0048)
> ICMP: Echo: From 216.144.20.69 To 216.144.00.27
> ICMP: Packet Type =3D Echo
> ICMP: Echo Code =3D 0 (0x0)
> ICMP: Checksum =3D 0x82AA
> ICMP: Identifier =3D 512 (0x200)
> ICMP: Sequence Number =3D 7680 (0x1E00)
> ICMP: Data: Number of data bytes remaining =3D 64 (0x0040)
> 00000: 00 C0 B7 66 25 D4 00 03 E3 95 66 00 08 00 45 00 =
.=C0=B7f%=D4..=E3*f...E.
> 00010: 00 5C 08 48 00 00 7C 01 70 D8 D8 90 14 45 D8 90 =
.\.H..|.p=D8=D8?.E=D8?
> 00020: 00 1B 08 00 82 AA 02 00 1E 00 AA AA AA AA AA AA =
....'=AA....=AA=AA=AA=AA=AA=AA
> 00030: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA =
=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA
> 00040: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA =
=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA
> 00050: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA =
=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA
> 00060: AA AA AA AA AA AA AA AA AA AA =
=AA=AA=AA=AA=AA=AA=AA=AA=AA=AA
>
>
