11-22-2006 01:33 AM - edited 03-11-2019 01:59 AM
Hi,
Currently i'm having trouble with this type of thing, my customer complaint that the PIX doesn't stop the threat, they have set emb_limit, max_conn, ip verify. And also when show ip audit count, large icmp is very high, is this a good news because pix can deny it, or bad news because it can't stop the attack. Any suggestion what is the good config to stop this, they using pix506e 6.3(5) , thank you very much :)
11-22-2006 01:46 AM
Its not possible to stop traffic arriving to PIX. This must be done on device(s) in fronf of pix
..PIX can only deny this traffic (stop passing to inside)
We had similar issue and we asked ISP to block this unwanted traffic.. Provider could also implement some ICMP rate-limiting solution or some IPS solution
M.
11-22-2006 02:52 AM
If the amount of garbage directed/filtered by PIX is huge, and while waiting for the ISP to respond, create (or add) an ACL denying all ICMP but permit tcp/udp, and apply it on the router Fastethernet interface facing your PIX's outside interface.
Alternate option is to create rate-limit and apply it on serial interface facing internet/ISP.
The following config example is quiet similar to your scenario:
This will stop the attack while getting ISP to make their move (sometimes too slow...)
HTH
AK
11-22-2006 04:52 PM
Thanks, how bout if i filter rfc1918, 2827, i'm digging cisco's website and found this url
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
I think this also can be done with PIX, another thing is, is it possible to stop arp attack with pix 6.3(5) , as fas as i know this function only available with pix v7.0 +
Thank you.
11-22-2006 05:05 PM
RFC 1918 is for you to deny private IP Address (192.168.x.x, 172.16.x.x, 10.x.x.x) on from hitting you back (coming from) from outside, i,e router.
RFC2827 is for you to deny your own Public IP range from coming into your network from ISP. It should only go out from your network to ISP. Other unknown Public IP from your network towards ISP also block. But they're allowed to come in from ISP to your network.
*ISP to do the same from their end
You can apply RFC 1918 on PIX, while RFC2827 on router (serial intf facing ISP/WAN).
In 6.3(5), ARP attack looks difficult to deny.
In log, you probably will see:
PIX-4-405001: Received ARP {request | response} collision from
IP_address/mac_address on interface interface_name
If your PIX meet PIX7.0 (or latest) requirements (and $$), maybe you should upgrade it.
HTH
AK
11-22-2006 06:04 PM
Man.. why a lot of collisions & deferred on pix outside interface, is this normal?
pix# sh int
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is xxxx.xxxx.xxxx
IP address x.x.x.150, subnet mask 255.255.255.240
MTU 1500 bytes, BW 10000 Kbit half duplex
49806084 packets input, 1900966895 bytes, 0 no buffer
Received 28525 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
74851548 packets output, 665950688 bytes, 0 underruns
0 output errors, 1566555 collisions, 0 interface resets
0 babbles, 0 late collisions, 412197 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/23)
output queue (curr/max blocks): hardware (0/128) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is xxxx.xxxx.xxxx
IP address 192.168.x.x, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
74215126 packets input, 638648644 bytes, 0 no buffer
Received 135138 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
48419528 packets output, 1787016600 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/28)
output queue (curr/max blocks): hardware (2/66) software (0/1)
11-22-2006 06:35 PM
Ohhh man... i find this
http://www.securiteam.com/securitynews/5AP032AI0A.html
and its related to this
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_security_notice09186a0080624a37.html
and how do i download the software 6.3(5.106). because i dont have the access to that area. Any one.. please give me the software... mail to tony.g@wtexcellence.com.my
Please help, i'm in big trouble, thank you very much
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide