GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: Prevent fragment attack without break web service posted 12/02/2005
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Shouldnt this ACL be reordered as below?

access-list 100 permit tcp any host 10.10.10.10 eq www established
access-list 100 deny ip any host 10.10.10.10 fragment
access-list 100 permit ip any any

This will let the established tcp traffic from inside to pass through
even if the packets are fragmented, where as the unestablished
fragment packets would be dropped by the second ACL.. Agree?

-Venkat

On 11/8/05, nhqky888@xxxxxxxxx <nhqky888@xxxxxxxxx> wrote:
> Hi,
>
> A hacker is doing fragment attack to WEB server 10.10.10.10.
> Filtering fragmented packet should be done to prevent this.
>
> Here is the acl,
>
> access-list 100 deny ip any host 10.10.10.10 fragment
> access-list 100 permit ip any any
>
> This acl filters any fragmented HTTP packets web users use, I think.
>
>
> Second acl,
>
> access-list 100 permit tcp any host 10.10.10.10 fragment
> access-list 100 deny ip any host 10.10.10.10 fragment
> access-list 100 permit ip any any
>
>
> This acl permit any fragmented HTTP packets web users use,
> however, this server will be attacked with TCP fragment.
>
> How can I accomplish this task without breaking Web services?
>
> Ive read Cisco router FW security by Deal,
> Deal indicates as lower security risk in it,
>
> access-list 100 deny ip any host 10.10.10.10 fragment
> access-list 100 permit tcp any host 10.10.10.10 eq www established
> access-list 100 permit ip any any
>
>
>
> Plz give any suggestion to me.
>
>
>
> Thanks,
>
>
> KY
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html