https://community.cisco.com/t5/network-security/pix-dos/m-p/698758#M1035339 <HTML><HEAD></HEAD><BODY><P>Thanks, how bout if i filter rfc1918, 2827, i'm digging cisco's website and found this url</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml" target="_blank">http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml</A></P><P></P><P>I think this also can be done with PIX, another thing is, is it possible to stop arp attack with pix 6.3(5) , as fas as i know this function only available with pix v7.0 +</P><P></P><P>Thank you.</P></BODY></HTML> Thu, 23 Nov 2006 00:52:53 GMT tonny_ecmyy 2006-11-23T00:52:53Z https://community.cisco.com/t5/network-security/pix-dos/m-p/698755#M1035332 <P>Hi,</P><P>Currently i'm having trouble with this type of thing, my customer complaint that the PIX doesn't stop the threat, they have set emb_limit, max_conn, ip verify. And also when show ip audit count, large icmp is very high, is this a good news because pix can deny it, or bad news because it can't stop the attack. Any suggestion what is the good config to stop this, they using pix506e 6.3(5) , thank you very much <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P></P> Mon, 11 Mar 2019 08:59:13 GMT https://community.cisco.com/t5/network-security/pix-dos/m-p/698755#M1035332 tonny_ecmyy 2019-03-11T08:59:13Z https://community.cisco.com/t5/network-security/pix-dos/m-p/698756#M1035333 <HTML><HEAD></HEAD><BODY><P>Its not possible to stop traffic arriving to PIX. This must be done on device(s) in fronf of pix</P><P>..PIX can only deny this traffic (stop passing to inside)</P><P>We had similar issue and we asked ISP to block this unwanted traffic.. Provider could also implement some ICMP rate-limiting solution or some IPS solution</P><P>M.</P></BODY></HTML> Wed, 22 Nov 2006 09:46:36 GMT https://community.cisco.com/t5/network-security/pix-dos/m-p/698756#M1035333 m.sir 2006-11-22T09:46:36Z https://community.cisco.com/t5/network-security/pix-dos/m-p/698757#M1035335 <HTML><HEAD></HEAD><BODY><P>If the amount of garbage directed/filtered by PIX is huge, and while waiting for the ISP to respond, create (or add) an ACL denying all ICMP but permit tcp/udp, and apply it on the router Fastethernet interface facing your PIX's outside interface.</P><P></P><P>Alternate option is to create rate-limit and apply it on serial interface facing internet/ISP.</P><P></P><P>The following config example is quiet similar to your scenario:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008019c6e7.html" target="_blank">http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008019c6e7.html</A></P><P></P><P></P><P>This will stop the attack while getting ISP to make their move (sometimes too slow...)</P><P></P><P>HTH</P><P>AK</P><P></P><P></P></BODY></HTML> Wed, 22 Nov 2006 10:52:04 GMT https://community.cisco.com/t5/network-security/pix-dos/m-p/698757#M1035335 a.kiprawih 2006-11-22T10:52:04Z https://community.cisco.com/t5/network-security/pix-dos/m-p/698758#M1035339 <HTML><HEAD></HEAD><BODY><P>Thanks, how bout if i filter rfc1918, 2827, i'm digging cisco's website and found this url</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml" target="_blank">http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml</A></P><P></P><P>I think this also can be done with PIX, another thing is, is it possible to stop arp attack with pix 6.3(5) , as fas as i know this function only available with pix v7.0 +</P><P></P><P>Thank you.</P></BODY></HTML> Thu, 23 Nov 2006 00:52:53 GMT https://community.cisco.com/t5/network-security/pix-dos/m-p/698758#M1035339 tonny_ecmyy 2006-11-23T00:52:53Z https://community.cisco.com/t5/network-security/pix-dos/m-p/698759#M1035343 <HTML><HEAD></HEAD><BODY><P>RFC 1918 is for you to deny private IP Address (192.168.x.x, 172.16.x.x, 10.x.x.x) on from hitting you back (coming from) from outside, i,e router.</P><P></P><P>RFC2827 is for you to deny your own Public IP range from coming into your network from ISP. It should only go out from your network to ISP. Other unknown Public IP from your network towards ISP also block. But they're allowed to come in from ISP to your network.</P><P></P><P>*ISP to do the same from their end</P><P></P><P>You can apply RFC 1918 on PIX, while RFC2827 on router (serial intf facing ISP/WAN).</P><P></P><P>In 6.3(5), ARP attack looks difficult to deny.</P><P></P><P>In log, you probably will see:</P><P></P><P>PIX-4-405001: Received ARP {request | response} collision from </P><P>IP_address/mac_address on interface interface_name</P><P></P><P>If your PIX meet PIX7.0 (or latest) requirements (and $$), maybe you should upgrade it.</P><P></P><P></P><P>HTH</P><P>AK</P></BODY></HTML> Thu, 23 Nov 2006 01:05:59 GMT https://community.cisco.com/t5/network-security/pix-dos/m-p/698759#M1035343 a.kiprawih 2006-11-23T01:05:59Z https://community.cisco.com/t5/network-security/pix-dos/m-p/698760#M1035347 <HTML><HEAD></HEAD><BODY><P>Man.. why a lot of collisions &amp; deferred on pix outside interface, is this normal?</P><P></P><P>pix# sh int</P><P>interface ethernet0 "outside" is up, line protocol is up</P><P> Hardware is i82559 ethernet, address is xxxx.xxxx.xxxx</P><P> IP address x.x.x.150, subnet mask 255.255.255.240</P><P> MTU 1500 bytes, BW 10000 Kbit half duplex</P><P> 49806084 packets input, 1900966895 bytes, 0 no buffer</P><P> Received 28525 broadcasts, 0 runts, 0 giants</P><P> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort</P><P> 74851548 packets output, 665950688 bytes, 0 underruns</P><P> 0 output errors, 1566555 collisions, 0 interface resets</P><P> 0 babbles, 0 late collisions, 412197 deferred</P><P> 0 lost carrier, 0 no carrier</P><P> input queue (curr/max blocks): hardware (128/128) software (0/23)</P><P> output queue (curr/max blocks): hardware (0/128) software (0/1)</P><P>interface ethernet1 "inside" is up, line protocol is up</P><P> Hardware is i82559 ethernet, address is xxxx.xxxx.xxxx</P><P> IP address 192.168.x.x, subnet mask 255.255.255.0</P><P> MTU 1500 bytes, BW 100000 Kbit full duplex</P><P> 74215126 packets input, 638648644 bytes, 0 no buffer</P><P> Received 135138 broadcasts, 0 runts, 0 giants</P><P> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort</P><P> 48419528 packets output, 1787016600 bytes, 0 underruns</P><P> 0 output errors, 0 collisions, 0 interface resets</P><P> 0 babbles, 0 late collisions, 0 deferred</P><P> 0 lost carrier, 0 no carrier</P><P> input queue (curr/max blocks): hardware (128/128) software (0/28)</P><P> output queue (curr/max blocks): hardware (2/66) software (0/1)</P></BODY></HTML> Thu, 23 Nov 2006 02:04:05 GMT https://community.cisco.com/t5/network-security/pix-dos/m-p/698760#M1035347 tonny_ecmyy 2006-11-23T02:04:05Z https://community.cisco.com/t5/network-security/pix-dos/m-p/698761#M1035350 <HTML><HEAD></HEAD><BODY><P>Ohhh man... i find this</P><P><A class="jive-link-custom" href="http://www.securiteam.com/securitynews/5AP032AI0A.html" target="_blank">http://www.securiteam.com/securitynews/5AP032AI0A.html</A></P><P></P><P>and its related to this</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_security_notice09186a0080624a37.html" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_security_notice09186a0080624a37.html</A></P><P>and how do i download the software 6.3(5.106). because i dont have the access to that area. Any one.. please give me the software... mail to <A href="mailto:tony.g@wtexcellence.com.my">tony.g@wtexcellence.com.my</A></P><P></P><P>Please help, i'm in big trouble, thank you very much</P></BODY></HTML> Thu, 23 Nov 2006 02:35:24 GMT https://community.cisco.com/t5/network-security/pix-dos/m-p/698761#M1035350 tonny_ecmyy 2006-11-23T02:35:24Z