From: marvin greenlee (marvin@ccbootcamp.com)
Date: Fri Mar 04 2005 - 17:00:01 GMT-3
"...Filtering fragments adds an additional layer of protection against a DoS
attack that uses only noninitial fragments (such as FO > 0). Using a deny
statement for noninitial fragments at the beginning of the ACL denies all
noninitial fragments from accessing the router. Under rare circumstances, a
valid session might require fragmentation and therefore be filtered if a
deny fragment statement exists in the ACL..."
See also:
Cisco - Protecting Your Core: Infrastructure Protection Access Control Lists
-
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00
801a1a55.shtml
Cisco - Access Control Lists and IP Fragments -
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00
800949b8.shtml
Marvin Greenlee, CCIE#12237, CCSI# 30483
Network Learning Inc
marvin@ccbootcamp.com
www.ccbootcamp.com (Cisco Training)
-----Original Message-----
From: Edwards, Andrew M [mailto:andrew.m.edwards@boeing.com]
Sent: Friday, March 04, 2005 11:45 AM
To: marvin greenlee; Matt White; ccielab@groupstudy.com
Subject: RE: Fragment control in access-lists. [bcc][faked-from]
So if I understand this correctly.
The first packet is not considered a fragment.
So, the first packet matches the second statement to permit web traffic.
Then all subsequent packets that ARE fragments will be matched by the
first ACL.
Yes?
-----Original Message-----
From: marvin greenlee [mailto:marvin@ccbootcamp.com]
Sent: Thursday, March 03, 2005 9:49 AM
To: 'Matt White'; ccielab@groupstudy.com
Subject: RE: Fragment control in access-lists. [bcc][faked-from]
The router will not let you specify both.
Router(config)#access-list 101 deny tcp any host 1.1.1.1 eq 80 ?
ack Match on the ACK bit
dscp Match packets with given dscp value
established Match established connections
fin Match on the FIN bit
log Log matches against this entry
log-input Log matches against this entry, including input interface
precedence Match packets with given precedence value
psh Match on the PSH bit
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr>
Router(config)#access-list 101 deny tcp any host 1.1.1.1 frag ?
dscp Match packets with given dscp value
log Log matches against this entry
log-input Log matches against this entry, including input interface
precedence Match packets with given precedence value
time-range Specify a time-range
tos Match packets with given TOS value
<cr>
Marvin Greenlee, CCIE#12237, CCSI# 30483
Network Learning Inc
marvin@ccbootcamp.com
www.ccbootcamp.com (Cisco Training)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Matt White
Sent: Thursday, March 03, 2005 7:43 AM
To: ccielab@groupstudy.com
Subject: Fragment control in access-lists. [bcc][faked-from]
Importance: Low
According to the example on the Doc CD (link below), that in order to
deny fragments to, say, a web server, you initially need to deny
fragments to everything then permit 80 in.
Can someone explain why you cannot initially deny fragments to just port
80, or am I just completely off base here?
Thanks.
!
access-list 101 deny ip any host 1.1.1.1 fragments
access-list 101 permit tcp any host 1.1.1.1 eq 80
access-list 101 deny ip any any
!
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fipr
_c/ipcprt1/1cfip.htm#1129413
This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:40 GMT-3