Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
907
Views
0
Helpful
2
Replies

ACL deny all UDP packet not working correctly

darwick
Level 1
Level 1

‎09-09-2020 09:39 AM

Hello,

I have a router configuration which work logically like this:

Transit provider (via BGP) ---> My 6509 (SUP2T) router's Te3/1 L3 interface ----> TE4/1 switch Gi0/1 ----> Eth0 Server (1.2.3.4)

Because the server is attacked by random UDP packets and random ports, I think my best case would be to filter all UDP packet, except port 53 in my router's Te3/1 interface, on the uplink. My ACL rule looks like this:

 

Extended IP access list backendfilter
10 permit icmp any host 1.2.3.4
20 permit tcp any host 1.2.3.4
30 permit udp any host 1.2.3.4 eq domain
40 deny ip any host 1.2.3.4
50 permit ip any any

 

And of course, I applyed it to Te3/1:

 

interface TenGigabitEthernet3/1
description BGP Uplink Defaultroute
ip address 11.22.33.44
ip access-group backendfilter in
ip verify unicast source reachable-via any allow-default

 

But it does not work some reason and I don't know why not. If I log into 1.2.3.4 and sniff the packets by tcpdump, I also see the server get the UDP packets:

 

18:14:44.095168 IP attackerIP1 > 1.2.3.4: ip-proto-17
18:14:44.095186 IP attackerIP2 > 1.2.3.4: ip-proto-17
18:14:44.095190 IP attackerIP3 > 1.2.3.4: ip-proto-17
18:14:44.095194 IP attackerIP4 > 1.2.3.4: ip-proto-17
18:14:44.095196 IP attackerIP5 > 1.2.3.4: ip-proto-17

 

Something must be wrong with the ACL itself, because if I remove line 10 which allowes the ICMP packet, I also get the pings coming.

There is no other Uplink interface in the router, so it is impossible to get he packets from another link.

I also did a try to enable this ACL to the switch's Te4/1 interface (ip access-group backendfilter out) but it also did not worked for me.

Could somebody please help me out what am I doing wrong?

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎09-09-2020 12:01 PM

Hello,

 

what is the output of:

 

show ip access-lists

 

Do you see any hits ?

0 Helpful

darwick
Level 1
Level 1
In response to Georg Pauwen

‎09-09-2020 12:58 PM - edited ‎09-09-2020 01:00 PM

Hello,

 

Thank you for trying figure it out.

 

The show IP access-list backendfilter output is:

 

Extended IP access list backendfilter
10 permit icmp any host 1.2.3.4
20 permit tcp any host 1.2.3.4
30 permit udp any host 1.2.3.4 eq domain
40 deny ip any host 1.2.3.4
50 permit ip any any

 

and I see some hits, but it is less then I expected.

For the number 10 which allows the icmp packets should show 10 hits, because I sent 10 ping packets from outside, but it only show 2.

The number 30 should show me some too, because I sent some DNS query to that server and it replied the right answer, but the counter does not show any (0 hits).

The number 40 and number 50 counters increasing by 100 in every sec.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card